Better proofs for rekeying Rekeying seems less dangerous. D. J. - - PowerPoint PPT Presentation

1

Better proofs for rekeying

• D. J. Bernstein

Security of AES-256 key k is far below 2256 in most protocols: (AESk(0); : : : ; AESk(n − 1)) is distinguishable from uniform with probability n(n − 1)=2129, plus tiny key-guessing probability. Yes, distinguishers matter. Attacker actually has T targets: independent keys k1; : : : ; kT . Success chance ≈ Tn(n − 1)=2129.

2

“Rekeying” seems less dangerous. Expand k into F(k) = (AESk(0); : : : ; AESk(999999)). Split F(k) into 500000 “subkeys”. Output F(k′) for each subkey k′: i.e., F(AESk(0); AESk(1)); F(AESk(2); AESk(3)); : : : F(AESk(999998); AESk(999999)).

1

Better proofs for rekeying

• D. J. Bernstein

Security of AES-256 key k is far below 2256 in most protocols: (AESk(0); : : : ; AESk(n − 1)) is distinguishable from uniform with probability n(n − 1)=2129, plus tiny key-guessing probability. Yes, distinguishers matter. Attacker actually has T targets: independent keys k1; : : : ; kT . Success chance ≈ Tn(n − 1)=2129.

2

“Rekeying” seems less dangerous. Expand k into F(k) = (AESk(0); : : : ; AESk(999999)). Split F(k) into 500000 “subkeys”. Output F(k′) for each subkey k′: i.e., F(AESk(0); AESk(1)); F(AESk(2); AESk(3)); : : : F(AESk(999998); AESk(999999)). Repeat for k1; : : : ; kT . What is attacker’s success chance pT ?

1

Better proofs for rekeying

• D. J. Bernstein

Security of AES-256 key k is far below 2256 in most protocols: (AESk(0); : : : ; AESk(n − 1)) is distinguishable from uniform with probability n(n − 1)=2129, plus tiny key-guessing probability. Yes, distinguishers matter. Attacker actually has T targets: independent keys k1; : : : ; kT . Success chance ≈ Tn(n − 1)=2129.

2

“Rekeying” seems less dangerous. Expand k into F(k) = (AESk(0); : : : ; AESk(999999)). Split F(k) into 500000 “subkeys”. Output F(k′) for each subkey k′: i.e., F(AESk(0); AESk(1)); F(AESk(2); AESk(3)); : : : F(AESk(999998); AESk(999999)). Repeat for k1; : : : ; kT . What is attacker’s success chance pT ? Intuitively clear that pT ≤ Tp1. So let’s analyze p1.

1

proofs for rekeying Bernstein Security of AES-256 key k is elow 2256 in most protocols: (0); : : : ; AESk(n − 1)) distinguishable from uniform robability n(n − 1)=2129, tiny key-guessing probability. distinguishers matter. er actually has T targets: endent keys k1; : : : ; kT . Success chance ≈ Tn(n − 1)=2129.

2

“Rekeying” seems less dangerous. Expand k into F(k) = (AESk(0); : : : ; AESk(999999)). Split F(k) into 500000 “subkeys”. Output F(k′) for each subkey k′: i.e., F(AESk(0); AESk(1)); F(AESk(2); AESk(3)); : : : F(AESk(999998); AESk(999999)). Repeat for k1; : : : ; kT . What is attacker’s success chance pT ? Intuitively clear that pT ≤ Tp1. So let’s analyze p1. Attack strategy master k from a unif Years of to distinguish uniform Distinctness

1

r rekeying AES-256 key k is most protocols: AESk(n − 1)) distinguishable from uniform n(n − 1)=2129, ey-guessing probability. distinguishers matter. actually has T targets: eys k1; : : : ; kT . ≈ Tn(n − 1)=2129.

2

“Rekeying” seems less dangerous. Expand k into F(k) = (AESk(0); : : : ; AESk(999999)). Split F(k) into 500000 “subkeys”. Output F(k′) for each subkey k′: i.e., F(AESk(0); AESk(1)); F(AESk(2); AESk(3)); : : : F(AESk(999998); AESk(999999)). Repeat for k1; : : : ; kT . What is attacker’s success chance pT ? Intuitively clear that pT ≤ Tp1. So let’s analyze p1. Attack strategy 1: master key k. Distinguish from a uniform random Years of cryptanalysis to distinguish AES uniform string of distinct Distinctness loses

1

is rotocols: 1)) uniform 2129, robability. rgets:

T .

1)=2129.

2

“Rekeying” seems less dangerous. Expand k into F(k) = (AESk(0); : : : ; AESk(999999)). Split F(k) into 500000 “subkeys”. Output F(k′) for each subkey k′: i.e., F(AESk(0); AESk(1)); F(AESk(2); AESk(3)); : : : F(AESk(999998); AESk(999999)). Repeat for k1; : : : ; kT . What is attacker’s success chance pT ? Intuitively clear that pT ≤ Tp1. So let’s analyze p1. Attack strategy 1: Attack the master key k. Distinguish F from a uniform random string. Years of cryptanalysis say: ha to distinguish AES outputs from uniform string of distinct blo Distinctness loses ≈1=289.

2

“Rekeying” seems less dangerous. Expand k into F(k) = (AESk(0); : : : ; AESk(999999)). Split F(k) into 500000 “subkeys”. Output F(k′) for each subkey k′: i.e., F(AESk(0); AESk(1)); F(AESk(2); AESk(3)); : : : F(AESk(999998); AESk(999999)). Repeat for k1; : : : ; kT . What is attacker’s success chance pT ? Intuitively clear that pT ≤ Tp1. So let’s analyze p1.

3

Attack strategy 1: Attack the master key k. Distinguish F(k) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈1=289.

2

“Rekeying” seems less dangerous. Expand k into F(k) = (AESk(0); : : : ; AESk(999999)). Split F(k) into 500000 “subkeys”. Output F(k′) for each subkey k′: i.e., F(AESk(0); AESk(1)); F(AESk(2); AESk(3)); : : : F(AESk(999998); AESk(999999)). Repeat for k1; : : : ; kT . What is attacker’s success chance pT ? Intuitively clear that pT ≤ Tp1. So let’s analyze p1.

3

Attack strategy 1: Attack the master key k. Distinguish F(k) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈1=289. Attack strategy 2: Attack a subkey k′. Distinguish F(k′) from uniform, assuming k′ is uniform.

2

“Rekeying” seems less dangerous. Expand k into F(k) = (AESk(0); : : : ; AESk(999999)). Split F(k) into 500000 “subkeys”. Output F(k′) for each subkey k′: i.e., F(AESk(0); AESk(1)); F(AESk(2); AESk(3)); : : : F(AESk(999998); AESk(999999)). Repeat for k1; : : : ; kT . What is attacker’s success chance pT ? Intuitively clear that pT ≤ Tp1. So let’s analyze p1.

3

Attack strategy 1: Attack the master key k. Distinguish F(k) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈1=289. Attack strategy 2: Attack a subkey k′. Distinguish F(k′) from uniform, assuming k′ is uniform. Intuition: No other attacks exist. But where is this proven?

2

eying” seems less dangerous. Expand k into F(k) = (0); : : : ; AESk(999999)). (k) into 500000 “subkeys”. Output F(k′) for each subkey k′: (AESk(0); AESk(1));

k(2); AESk(3)); : : : k(999998); AESk(999999)).

eat for k1; : : : ; kT . What is attacker’s success chance pT ? Intuitively clear that pT ≤ Tp1. let’s analyze p1.

3

Attack strategy 1: Attack the master key k. Distinguish F(k) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈1=289. Attack strategy 2: Attack a subkey k′. Distinguish F(k′) from uniform, assuming k′ is uniform. Intuition: No other attacks exist. But where is this proven? FOCS 1996 Krawczyk security 2-level ca (N1; N2);

2

seems less dangerous. (k) = AESk(999999)). 500000 “subkeys”. r each subkey k′: AESk(1));

k(3)); : : :

(999998); AESk(999999)). : ; kT . What is success chance pT ? that pT ≤ Tp1. p1.

3

Attack strategy 1: Attack the master key k. Distinguish F(k) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈1=289. Attack strategy 2: Attack a subkey k′. Distinguish F(k′) from uniform, assuming k′ is uniform. Intuition: No other attacks exist. But where is this proven? FOCS 1996 Bellare–Canetti– Krawczyk claims to security of ‘-level “cascade”. 2-level cascade: key (N1; N2); output S

2

ngerous. (999999)). “subkeys”. subkey k′: (1)); (999999)). What is chance pT ? Tp1.

3

Attack strategy 1: Attack the master key k. Distinguish F(k) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈1=289. Attack strategy 2: Attack a subkey k′. Distinguish F(k′) from uniform, assuming k′ is uniform. Intuition: No other attacks exist. But where is this proven? FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘-level “cascade”. 2-level cascade: key k; input (N1; N2); output S(S(k; N1)

3

Attack strategy 1: Attack the master key k. Distinguish F(k) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈1=289. Attack strategy 2: Attack a subkey k′. Distinguish F(k′) from uniform, assuming k′ is uniform. Intuition: No other attacks exist. But where is this proven?

4

FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘-level “cascade”. 2-level cascade: key k; input (N1; N2); output S(S(k; N1); N2).

3

Attack strategy 1: Attack the master key k. Distinguish F(k) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈1=289. Attack strategy 2: Attack a subkey k′. Distinguish F(k′) from uniform, assuming k′ is uniform. Intuition: No other attacks exist. But where is this proven?

4

FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘-level “cascade”. 2-level cascade: key k; input (N1; N2); output S(S(k; N1); N2). Example: Define S(k; N) = (AESk(2N); AESk(2N + 1)), with N ∈ {0; 1; : : : ; 499999}. S expands AES-256 key k into (AESk(0); : : : ; AESk(999999)).

3

Attack strategy 1: Attack the master key k. Distinguish F(k) from a uniform random string. Years of cryptanalysis say: hard to distinguish AES outputs from uniform string of distinct blocks. Distinctness loses ≈1=289. Attack strategy 2: Attack a subkey k′. Distinguish F(k′) from uniform, assuming k′ is uniform. Intuition: No other attacks exist. But where is this proven?

4

FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘-level “cascade”. 2-level cascade: key k; input (N1; N2); output S(S(k; N1); N2). Example: Define S(k; N) = (AESk(2N); AESk(2N + 1)), with N ∈ {0; 1; : : : ; 499999}. S expands AES-256 key k into (AESk(0); : : : ; AESk(999999)). Paper credits 1986 Goldwasser– Goldreich–Micali for 1-bit Ni: S expands k into S(k; 0); S(k; 1).

3

strategy 1: Attack the master key k. Distinguish F(k) uniform random string.

• f cryptanalysis say: hard

distinguish AES outputs from string of distinct blocks. Distinctness loses ≈1=289. strategy 2: Attack a k′. Distinguish F(k′) from rm, assuming k′ is uniform. Intuition: No other attacks exist. where is this proven?

4

FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘-level “cascade”. 2-level cascade: key k; input (N1; N2); output S(S(k; N1); N2). Example: Define S(k; N) = (AESk(2N); AESk(2N + 1)), with N ∈ {0; 1; : : : ; 499999}. S expands AES-256 key k into (AESk(0); : : : ; AESk(999999)). Paper credits 1986 Goldwasser– Goldreich–Micali for 1-bit Ni: S expands k into S(k; 0); S(k; 1). Theorem

• mits facto

Here q is The intuition why does

3

1: Attack the Distinguish F(k) random string. yptanalysis say: hard AES outputs from

• f distinct blocks.

es ≈1=289. 2: Attack a Distinguish F(k′) from assuming k′ is uniform.

• ther attacks exist.

this proven?

4

FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘-level “cascade”. 2-level cascade: key k; input (N1; N2); output S(S(k; N1); N2). Example: Define S(k; N) = (AESk(2N); AESk(2N + 1)), with N ∈ {0; 1; : : : ; 499999}. S expands AES-256 key k into (AESk(0); : : : ; AESk(999999)). Paper credits 1986 Goldwasser– Goldreich–Micali for 1-bit Ni: S expands k into S(k; 0); S(k; 1). Theorem statement

• mits factor q. Fixed

Here q is the numb The intuition didn’t why does q matter

3

the F(k) string. hard

• utputs from

blocks. . a k′) from uniform. ks exist. roven?

4

FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘-level “cascade”. 2-level cascade: key k; input (N1; N2); output S(S(k; N1); N2). Example: Define S(k; N) = (AESk(2N); AESk(2N + 1)), with N ∈ {0; 1; : : : ; 499999}. S expands AES-256 key k into (AESk(0); : : : ; AESk(999999)). Paper credits 1986 Goldwasser– Goldreich–Micali for 1-bit Ni: S expands k into S(k; 0); S(k; 1). Theorem statement is wrong:

• mits factor q. Fixed in 2005.

Here q is the number of queries. The intuition didn’t notice q why does q matter for the p

4

FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘-level “cascade”. 2-level cascade: key k; input (N1; N2); output S(S(k; N1); N2). Example: Define S(k; N) = (AESk(2N); AESk(2N + 1)), with N ∈ {0; 1; : : : ; 499999}. S expands AES-256 key k into (AESk(0); : : : ; AESk(999999)). Paper credits 1986 Goldwasser– Goldreich–Micali for 1-bit Ni: S expands k into S(k; 0); S(k; 1).

5

Theorem statement is wrong:

• mits factor q. Fixed in 2005.

Here q is the number of queries. The intuition didn’t notice q; why does q matter for the proof?

4

FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘-level “cascade”. 2-level cascade: key k; input (N1; N2); output S(S(k; N1); N2). Example: Define S(k; N) = (AESk(2N); AESk(2N + 1)), with N ∈ {0; 1; : : : ; 499999}. S expands AES-256 key k into (AESk(0); : : : ; AESk(999999)). Paper credits 1986 Goldwasser– Goldreich–Micali for 1-bit Ni: S expands k into S(k; 0); S(k; 1).

5

Theorem statement is wrong:

• mits factor q. Fixed in 2005.

Here q is the number of queries. The intuition didn’t notice q; why does q matter for the proof? Proof outline: Take any cascade attack A using at most q queries. Proof has q + 1 steps.

4

FOCS 1996 Bellare–Canetti– Krawczyk claims to prove security of ‘-level “cascade”. 2-level cascade: key k; input (N1; N2); output S(S(k; N1); N2). Example: Define S(k; N) = (AESk(2N); AESk(2N + 1)), with N ∈ {0; 1; : : : ; 499999}. S expands AES-256 key k into (AESk(0); : : : ; AESk(999999)). Paper credits 1986 Goldwasser– Goldreich–Micali for 1-bit Ni: S expands k into S(k; 0); S(k; 1).

5

Theorem statement is wrong:

• mits factor q. Fixed in 2005.

Here q is the number of queries. The intuition didn’t notice q; why does q matter for the proof? Proof outline: Take any cascade attack A using at most q queries. Proof has q + 1 steps. Step 0: Replace outputs from master key k with independent uniform random outputs. Distinguisher for this step ⇒ attack against S.

4

1996 Bellare–Canetti– czyk claims to prove y of ‘-level “cascade”. cascade: key k; input

2); output S(S(k; N1); N2).

Example: Define S(k; N) = (2N); AESk(2N + 1)), ∈ {0; 1; : : : ; 499999}. expands AES-256 key k into (0); : : : ; AESk(999999)). credits 1986 Goldwasser– Goldreich–Micali for 1-bit Ni: expands k into S(k; 0); S(k; 1).

5

Theorem statement is wrong:

• mits factor q. Fixed in 2005.

Here q is the number of queries. The intuition didn’t notice q; why does q matter for the proof? Proof outline: Take any cascade attack A using at most q queries. Proof has q + 1 steps. Step 0: Replace outputs from master key k with independent uniform random outputs. Distinguisher for this step ⇒ attack against S. Step 1: for first subk uniform Distinguisher ⇒ attack

4

Bellare–Canetti– to prove

• level “cascade”.

key k; input

• utput S(S(k; N1); N2).

S(k; N) =

k(2N + 1)),

: : ; 499999}. AES-256 key k into AESk(999999)). 1986 Goldwasser– Goldreich–Micali for 1-bit Ni: into S(k; 0); S(k; 1).

5

Theorem statement is wrong:

• mits factor q. Fixed in 2005.

Here q is the number of queries. The intuition didn’t notice q; why does q matter for the proof? Proof outline: Take any cascade attack A using at most q queries. Proof has q + 1 steps. Step 0: Replace outputs from master key k with independent uniform random outputs. Distinguisher for this step ⇒ attack against S. Step 1: Replace cascade for first subkey with uniform random outputs. Distinguisher for this ⇒ attack against S

4

re–Canetti– “cascade”. input

1); N2).

= 1)), 499999}. into (999999)). asser– Ni: S(k; 1).

5

Theorem statement is wrong:

• mits factor q. Fixed in 2005.

Here q is the number of queries. The intuition didn’t notice q; why does q matter for the proof? Proof outline: Take any cascade attack A using at most q queries. Proof has q + 1 steps. Step 0: Replace outputs from master key k with independent uniform random outputs. Distinguisher for this step ⇒ attack against S. Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S.

5

Theorem statement is wrong:

• mits factor q. Fixed in 2005.

Here q is the number of queries. The intuition didn’t notice q; why does q matter for the proof? Proof outline: Take any cascade attack A using at most q queries. Proof has q + 1 steps. Step 0: Replace outputs from master key k with independent uniform random outputs. Distinguisher for this step ⇒ attack against S.

6

Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S.

5

Theorem statement is wrong:

• mits factor q. Fixed in 2005.

Here q is the number of queries. The intuition didn’t notice q; why does q matter for the proof? Proof outline: Take any cascade attack A using at most q queries. Proof has q + 1 steps. Step 0: Replace outputs from master key k with independent uniform random outputs. Distinguisher for this step ⇒ attack against S.

6

Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S. Step 2: Replace cascade outputs from next (distinct) subkey. : : : Step q: Replace cascade outputs from qth (distinct) subkey. Could skip steps if q > #{N}.

5

Theorem statement is wrong:

• mits factor q. Fixed in 2005.

Here q is the number of queries. The intuition didn’t notice q; why does q matter for the proof? Proof outline: Take any cascade attack A using at most q queries. Proof has q + 1 steps. Step 0: Replace outputs from master key k with independent uniform random outputs. Distinguisher for this step ⇒ attack against S.

6

Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S. Step 2: Replace cascade outputs from next (distinct) subkey. : : : Step q: Replace cascade outputs from qth (distinct) subkey. Could skip steps if q > #{N}. Further complications in proof to monolithically handle ‘ levels. 2011 Bernstein: simpler to compose better 2-level theorem.

5

rem statement is wrong: factor q. Fixed in 2005. is the number of queries. intuition didn’t notice q; does q matter for the proof?

• utline: Take any cascade

A using at most q queries. has q + 1 steps. 0: Replace outputs from master key k with independent random outputs. Distinguisher for this step attack against S.

6

Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S. Step 2: Replace cascade outputs from next (distinct) subkey. : : : Step q: Replace cascade outputs from qth (distinct) subkey. Could skip steps if q > #{N}. Further complications in proof to monolithically handle ‘ levels. 2011 Bernstein: simpler to compose better 2-level theorem. Not happ A different Crypto 1996 Krawczyk

5

statement is wrong: Fixed in 2005. number of queries. idn’t notice q; matter for the proof? ake any cascade at most q queries. steps.

• utputs from

with independent

• utputs.

this step against S.

6

Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S. Step 2: Replace cascade outputs from next (distinct) subkey. : : : Step q: Replace cascade outputs from qth (distinct) subkey. Could skip steps if q > #{N}. Further complications in proof to monolithically handle ‘ levels. 2011 Bernstein: simpler to compose better 2-level theorem. Not happy with cascade A different proof app Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMA

5

wrong: 2005. queries. q; proof? cascade queries. from endent

6

Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S. Step 2: Replace cascade outputs from next (distinct) subkey. : : : Step q: Replace cascade outputs from qth (distinct) subkey. Could skip steps if q > #{N}. Further complications in proof to monolithically handle ‘ levels. 2011 Bernstein: simpler to compose better 2-level theorem. Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC pap

6

Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S. Step 2: Replace cascade outputs from next (distinct) subkey. : : : Step q: Replace cascade outputs from qth (distinct) subkey. Could skip steps if q > #{N}. Further complications in proof to monolithically handle ‘ levels. 2011 Bernstein: simpler to compose better 2-level theorem.

7

Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper.

6

Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S. Step 2: Replace cascade outputs from next (distinct) subkey. : : : Step q: Replace cascade outputs from qth (distinct) subkey. Could skip steps if q > #{N}. Further complications in proof to monolithically handle ‘ levels. 2011 Bernstein: simpler to compose better 2-level theorem.

7

Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input (N1; N2), NMAC computes S(S(k; N1); N2), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.)

6

Step 1: Replace cascade outputs for first subkey with independent uniform random outputs. Distinguisher for this step ⇒ attack against S. Step 2: Replace cascade outputs from next (distinct) subkey. : : : Step q: Replace cascade outputs from qth (distinct) subkey. Could skip steps if q > #{N}. Further complications in proof to monolithically handle ‘ levels. 2011 Bernstein: simpler to compose better 2-level theorem.

7

Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input (N1; N2), NMAC computes S(S(k; N1); N2), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.) Proof has weird assumptions. Crypto 2006 Bellare proof: more reasonable-sounding assumptions.

6

1: Replace cascade outputs first subkey with independent random outputs. Distinguisher for this step attack against S. 2: Replace cascade outputs next (distinct) subkey. : : : : Replace cascade outputs th (distinct) subkey. skip steps if q > #{N}. urther complications in proof monolithically handle ‘ levels. Bernstein: simpler to

• se better 2-level theorem.

7

Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input (N1; N2), NMAC computes S(S(k; N1); N2), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.) Proof has weird assumptions. Crypto 2006 Bellare proof: more reasonable-sounding assumptions. Complicated; 2012 Koblitz–Meneze Bellare’s

6

cascade outputs with independent

• utputs.

this step against S. cascade outputs (distinct) subkey. : : : cascade outputs (distinct) subkey. if q > #{N}. complications in proof handle ‘ levels. simpler to 2-level theorem.

7

Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input (N1; N2), NMAC computes S(S(k; N1); N2), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.) Proof has weird assumptions. Crypto 2006 Bellare proof: more reasonable-sounding assumptions. Complicated; error-p 2012 Koblitz–Meneze Bellare’s assumptions

6

• utputs

endent

• utputs
• ey. : : :
• utputs

. {N}. roof levels. theorem.

7

Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input (N1; N2), NMAC computes S(S(k; N1); N2), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.) Proof has weird assumptions. Crypto 2006 Bellare proof: more reasonable-sounding assumptions. Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong.

7

Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input (N1; N2), NMAC computes S(S(k; N1); N2), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.) Proof has weird assumptions. Crypto 2006 Bellare proof: more reasonable-sounding assumptions.

8

Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong.

7

Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input (N1; N2), NMAC computes S(S(k; N1); N2), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.) Proof has weird assumptions. Crypto 2006 Bellare proof: more reasonable-sounding assumptions.

8

Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials.

7

Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input (N1; N2), NMAC computes S(S(k; N1); N2), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.) Proof has weird assumptions. Crypto 2006 Bellare proof: more reasonable-sounding assumptions.

8

Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong.

7

Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input (N1; N2), NMAC computes S(S(k; N1); N2), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.) Proof has weird assumptions. Crypto 2006 Bellare proof: more reasonable-sounding assumptions.

8

Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong. 2013 Pietrzak: fixed theorem from Koblitz–Menezes is wrong.

7

Not happy with cascade proofs? A different proof appears in Crypto 1996 Bellare–Canetti– Krawczyk NMAC/HMAC paper. Given key k and input (N1; N2), NMAC computes S(S(k; N1); N2), where S is a stream cipher “compression function”. (Tweaks: output is encrypted; no prefix-free requirement.) Proof has weird assumptions. Crypto 2006 Bellare proof: more reasonable-sounding assumptions.

8

Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong. 2013 Pietrzak: fixed theorem from Koblitz–Menezes is wrong. 2013 Pietrzak, 2013 Koblitz– Menezes, 2014 Ga˘ zi–Pietrzak– Ryb´ ar: another NMAC proof, as complicated as cascade proof.

7

happy with cascade proofs? different proof appears in 1996 Bellare–Canetti– czyk NMAC/HMAC paper. key k and input (N1; N2), computes S(S(k; N1); N2), S is a stream cipher ression function”. eaks: output is encrypted; fix-free requirement.) has weird assumptions. 2006 Bellare proof: more reasonable-sounding assumptions.

8

Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong. 2013 Pietrzak: fixed theorem from Koblitz–Menezes is wrong. 2013 Pietrzak, 2013 Koblitz– Menezes, 2014 Ga˘ zi–Pietrzak– Ryb´ ar: another NMAC proof, as complicated as cascade proof. Hmmm. “A model pseudo-random applications RNG outputs Another

7

cascade proofs?

• f appears in

Bellare–Canetti– C/HMAC paper. input (N1; N2), computes S(S(k; N1); N2), stream cipher function”.

• utput is encrypted;

requirement.) assumptions. Bellare proof: more reasonable-sounding assumptions.

8

Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong. 2013 Pietrzak: fixed theorem from Koblitz–Menezes is wrong. 2013 Pietrzak, 2013 Koblitz– Menezes, 2014 Ga˘ zi–Pietrzak– Ryb´ ar: another NMAC proof, as complicated as cascade proof.

• Hmmm. CCS 2005

“A model and architecture pseudo-random generation applications to /dev/random RNG outputs F(k), Another complicated

7

roofs? in re–Canetti– paper. ; N2),

1); N2),

cipher encrypted; requirement.) assumptions.

• f: more

assumptions.

8

Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong. 2013 Pietrzak: fixed theorem from Koblitz–Menezes is wrong. 2013 Pietrzak, 2013 Koblitz– Menezes, 2014 Ga˘ zi–Pietrzak– Ryb´ ar: another NMAC proof, as complicated as cascade proof.

• Hmmm. CCS 2005 Barak–Halevi

“A model and architecture fo pseudo-random generation with applications to /dev/random RNG outputs F(k), F(G(k)), Another complicated proof.

8

Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong. 2013 Pietrzak: fixed theorem from Koblitz–Menezes is wrong. 2013 Pietrzak, 2013 Koblitz– Menezes, 2014 Ga˘ zi–Pietrzak– Ryb´ ar: another NMAC proof, as complicated as cascade proof.

9

• Hmmm. CCS 2005 Barak–Halevi

“A model and architecture for pseudo-random generation with applications to /dev/random”? RNG outputs F(k), F(G(k)), etc. Another complicated proof.

8

Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong. 2013 Pietrzak: fixed theorem from Koblitz–Menezes is wrong. 2013 Pietrzak, 2013 Koblitz– Menezes, 2014 Ga˘ zi–Pietrzak– Ryb´ ar: another NMAC proof, as complicated as cascade proof.

9

• Hmmm. CCS 2005 Barak–Halevi

“A model and architecture for pseudo-random generation with applications to /dev/random”? RNG outputs F(k), F(G(k)), etc. Another complicated proof. How about 2006 Campagna “Security bounds for the NIST codebook-based deterministic random bit generator”? Doesn’t prove anything about rekeying.

8

Complicated; error-prone. 2012 Koblitz–Menezes: Bellare’s assumptions are wrong. 2012 Katz–Lindell: public denials. 2012 Bernstein–Lange: Bellare’s assumptions are wrong. 2013 Pietrzak: fixed theorem from Koblitz–Menezes is wrong. 2013 Pietrzak, 2013 Koblitz– Menezes, 2014 Ga˘ zi–Pietrzak– Ryb´ ar: another NMAC proof, as complicated as cascade proof.

9

• Hmmm. CCS 2005 Barak–Halevi

“A model and architecture for pseudo-random generation with applications to /dev/random”? RNG outputs F(k), F(G(k)), etc. Another complicated proof. How about 2006 Campagna “Security bounds for the NIST codebook-based deterministic random bit generator”? Doesn’t prove anything about rekeying. 2017 AES-GCM-SIV bounds? Big errors found by Iwata–Seurin.

8

Complicated; error-prone. Koblitz–Menezes: re’s assumptions are wrong. Katz–Lindell: public denials. Bernstein–Lange: re’s assumptions are wrong. Pietrzak: fixed theorem Koblitz–Menezes is wrong. Pietrzak, 2013 Koblitz– Menezes, 2014 Ga˘ zi–Pietrzak– ar: another NMAC proof, complicated as cascade proof.

9

• Hmmm. CCS 2005 Barak–Halevi

“A model and architecture for pseudo-random generation with applications to /dev/random”? RNG outputs F(k), F(G(k)), etc. Another complicated proof. How about 2006 Campagna “Security bounds for the NIST codebook-based deterministic random bit generator”? Doesn’t prove anything about rekeying. 2017 AES-GCM-SIV bounds? Big errors found by Iwata–Seurin. A simple Rememb There ar Cipher 1: Cipher 2:

8

error-prone. Koblitz–Menezes: assumptions are wrong. Katz–Lindell: public denials. Bernstein–Lange: assumptions are wrong. fixed theorem Koblitz–Menezes is wrong. 2013 Koblitz– Ga˘ zi–Pietrzak– NMAC proof, as cascade proof.

9

• Hmmm. CCS 2005 Barak–Halevi

“A model and architecture for pseudo-random generation with applications to /dev/random”? RNG outputs F(k), F(G(k)), etc. Another complicated proof. How about 2006 Campagna “Security bounds for the NIST codebook-based deterministic random bit generator”? Doesn’t prove anything about rekeying. 2017 AES-GCM-SIV bounds? Big errors found by Iwata–Seurin. A simple tight new Remember the goal: There are T keys. Cipher 1: key → many Cipher 2: subkey →

8

wrong. denials. wrong. rem wrong. Koblitz– zi–Pietrzak– roof, proof.

9

• Hmmm. CCS 2005 Barak–Halevi

“A model and architecture for pseudo-random generation with applications to /dev/random”? RNG outputs F(k), F(G(k)), etc. Another complicated proof. How about 2006 Campagna “Security bounds for the NIST codebook-based deterministic random bit generator”? Doesn’t prove anything about rekeying. 2017 AES-GCM-SIV bounds? Big errors found by Iwata–Seurin. A simple tight new proof Remember the goal: analyze There are T keys. Cipher 1: key → many subk Cipher 2: subkey → outputs.

9

• Hmmm. CCS 2005 Barak–Halevi

“A model and architecture for pseudo-random generation with applications to /dev/random”? RNG outputs F(k), F(G(k)), etc. Another complicated proof. How about 2006 Campagna “Security bounds for the NIST codebook-based deterministic random bit generator”? Doesn’t prove anything about rekeying. 2017 AES-GCM-SIV bounds? Big errors found by Iwata–Seurin.

10

A simple tight new proof Remember the goal: analyze pT . There are T keys. Cipher 1: key → many subkeys. Cipher 2: subkey → outputs.

9

• Hmmm. CCS 2005 Barak–Halevi

“A model and architecture for pseudo-random generation with applications to /dev/random”? RNG outputs F(k), F(G(k)), etc. Another complicated proof. How about 2006 Campagna “Security bounds for the NIST codebook-based deterministic random bit generator”? Doesn’t prove anything about rekeying. 2017 AES-GCM-SIV bounds? Big errors found by Iwata–Seurin.

10

A simple tight new proof Remember the goal: analyze pT . There are T keys. Cipher 1: key → many subkeys. Cipher 2: subkey → outputs. New proof has just two steps.

9

• Hmmm. CCS 2005 Barak–Halevi

“A model and architecture for pseudo-random generation with applications to /dev/random”? RNG outputs F(k), F(G(k)), etc. Another complicated proof. How about 2006 Campagna “Security bounds for the NIST codebook-based deterministic random bit generator”? Doesn’t prove anything about rekeying. 2017 AES-GCM-SIV bounds? Big errors found by Iwata–Seurin.

10

A simple tight new proof Remember the goal: analyze pT . There are T keys. Cipher 1: key → many subkeys. Cipher 2: subkey → outputs. New proof has just two steps. Step 1. Replace all subkeys. Distinguisher ⇒ T-target attack against cipher 1.

9

• Hmmm. CCS 2005 Barak–Halevi

“A model and architecture for pseudo-random generation with applications to /dev/random”? RNG outputs F(k), F(G(k)), etc. Another complicated proof. How about 2006 Campagna “Security bounds for the NIST codebook-based deterministic random bit generator”? Doesn’t prove anything about rekeying. 2017 AES-GCM-SIV bounds? Big errors found by Iwata–Seurin.

10

A simple tight new proof Remember the goal: analyze pT . There are T keys. Cipher 1: key → many subkeys. Cipher 2: subkey → outputs. New proof has just two steps. Step 1. Replace all subkeys. Distinguisher ⇒ T-target attack against cipher 1. Step 2. Replace all outputs. Distinguisher ⇒ (T · many)-target attack against cipher 2.

9

• Hmmm. CCS 2005 Barak–Halevi

del and architecture for pseudo-random generation with applications to /dev/random”?

• utputs F(k), F(G(k)), etc.

Another complicated proof. about 2006 Campagna “Security bounds for the NIST

• ok-based deterministic

bit generator”? Doesn’t anything about rekeying. AES-GCM-SIV bounds? errors found by Iwata–Seurin.

10

A simple tight new proof Remember the goal: analyze pT . There are T keys. Cipher 1: key → many subkeys. Cipher 2: subkey → outputs. New proof has just two steps. Step 1. Replace all subkeys. Distinguisher ⇒ T-target attack against cipher 1. Step 2. Replace all outputs. Distinguisher ⇒ (T · many)-target attack against cipher 2. multi-ta two-level securit multi-ta

• ne-level

securit new,

• induct
• multi-ta

many-level securit X: FOCS Krawczyk not suitable

9

2005 Barak–Halevi rchitecture for generation with /dev/random”? k), F(G(k)), etc. complicated proof. Campagna

• unds for the NIST

deterministic generator”? Doesn’t about rekeying. AES-GCM-SIV bounds? by Iwata–Seurin.

10

A simple tight new proof Remember the goal: analyze pT . There are T keys. Cipher 1: key → many subkeys. Cipher 2: subkey → outputs. New proof has just two steps. Step 1. Replace all subkeys. Distinguisher ⇒ T-target attack against cipher 1. Step 2. Replace all outputs. Distinguisher ⇒ (T · many)-target attack against cipher 2. multi-target two-level security

• multi-target
• ne-level

security new, easy

• induct
• X
• multi-target

many-level security

• X: FOCS 1996 Bella

Krawczyk Lemma not suitable for induction.

9

rak–Halevi for with /dev/random”? )), etc.

• f.

Campagna NIST deterministic Doesn’t eying.

• unds?

ata–Seurin.

10

A simple tight new proof Remember the goal: analyze pT . There are T keys. Cipher 1: key → many subkeys. Cipher 2: subkey → outputs. New proof has just two steps. Step 1. Replace all subkeys. Distinguisher ⇒ T-target attack against cipher 1. Step 2. Replace all outputs. Distinguisher ⇒ (T · many)-target attack against cipher 2. multi-target two-level security single-target two-level securit

• multi-target
• ne-level

security new, easy

• induct
• X
• single-target
• ne-level

securit

• ha
• induct
• multi-target

many-level security single-target many-level securit

• X: FOCS 1996 Bellare–Canetti–

Krawczyk Lemma 3.2. Harder; not suitable for induction.

10

A simple tight new proof Remember the goal: analyze pT . There are T keys. Cipher 1: key → many subkeys. Cipher 2: subkey → outputs. New proof has just two steps. Step 1. Replace all subkeys. Distinguisher ⇒ T-target attack against cipher 1. Step 2. Replace all outputs. Distinguisher ⇒ (T · many)-target attack against cipher 2.

11

multi-target two-level security single-target two-level security

• multi-target
• ne-level

security new, easy

• induct
• X
• single-target
• ne-level

security

• harder
• induct
• multi-target

many-level security single-target many-level security

• X: FOCS 1996 Bellare–Canetti–

Krawczyk Lemma 3.2. Harder; not suitable for induction.