Blockcipher-based Authentcated Encryption: How Small Can We Go? - - PowerPoint PPT Presentation

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Blockcipher-based Authentcated Encryption: How Small Can We Go?

Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata (Nagoya University, Japan) Kazuhiko Minematsu (NEC Corporation, Japan) Mridul Nandi (Indian Statistical Institute, India)

CHES 2017, Taipei, Taiwan

September, 2017

COFB 1

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

1

Introduction

2

Specification for COFB

3

Hardware Implementation Results of COFB-AES

4

Conclusions

5

References

COFB 2

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Authenticated Encryption (AE)

Figure: Data Transmission (Taken from [3])

A symmetric encryption scheme AE = (K, E, D) E : K ⇥ M ⇥ N ⇥ A ! C D : K ⇥ C ⇥ N ⇥ A ! M [ {?} C set of tagged ciphertexts ?: special symbol to denote reject

Goal Primitive Security Privacy Symmetric Encryption IND-CCA/CPA Integrity MAC UF-CMA

COFB 3

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Authenticated Encryption (AE)

Input M, A, N, K Output C K - Key space, M - Message space, N - Nonce space, A - Associated Data space, C - Ciphertext space Nonce Arbitrary number used only once for each encryption Useful as initialization vectors. Example: Counter Associated Data Header of the Message (not encrypted but authenticated) Example: IP Address

COFB 4

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Authenticated Encryption (AE)

Why AE? In practice both privacy and authenticity are desirable Example taken from [3]: A doctor wishes to send medical information about Alice to the medical database. Then We want data privacy to ensure Alice’s medical records remain confidential We wantintegrity to ensure the person sending the information is really the doctor and the information was not modified in transit We refer to this as authenticated encryption

COFB 5

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Security of Authenticated Encryption [4]

Privacy We want IND-CPA Integrity Adversary’s goal: Receiver accepts a forged tuple ((C ∗, T), N, A) INT-CTXT: Any forged tuple is rejected with high probability Goal - IND-CPA + INT-CTXT

COFB 6

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Unified AE Security

Adversary A runs in time t A makes q enc queries (σ enc blocks) qf forge queries (σf forge blocks) AdvAE

E (A) = ∆A((EK, DK); ($, ?))

$ returns a random string from the range set of EK ? oracle always returns ? AdvAE

E ((q, qf ), (σ, σf ), t) = maxA AdvAE E (A)

COFB 7

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Construction of AE Scheme

Several Ways of Designing AE Blockcipher(BC) based, Streamcipher(SC) based, Permutation based etc. We consider BC based AE BC Based AE Sequential nonce-based AE: CLOC, SILC Parallel on-line AE: ELmD, COPA, COLM Parallel nonce-based AE: OCB, OTR Our target: Sequential nonce-based AE Need to design Feedback function

COFB 8

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Possible Options for Feedback

Message Feedback Current M[i] is the feedback X[i] for the next BC call Ciphertext Feedback Current C[i] is the feedback X[i] Output Feedback Previous BC output Y [i 1] is the feedback X[i] We Use Combined Feedback First 3 can not fullfill our needs (small state rate-1 AE) X[i] can not be computed by exactly one of M[i], C[i], Y [i 1]

COFB 9

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Different Feedback Modes and COFB (Combined Feedback) Mode

X[i] M[i] C[i] ρ R X[i] M[i] C[i] R X[i] M[i] C[i] R X[i] M[i] C[i] R X[i − 1] X[i − 1] X[i − 1] X[i − 1] G

COFB 10

Message feedback Ciphertext feedback Output feedback Combined feedback

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Design of COFB AE Security Bounds Properties

1

Introduction

2

Specification for COFB Design of COFB AE Security Bounds Properties

3

Hardware Implementation Results of COFB-AES

4

Conclusions

5

References

COFB 11

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Design of COFB AE Security Bounds Properties

Goal of This Design

Lightweight AE mode Use low storage Standard security bound (close to the birthday bound on block size) Security proof in the standard model Smaller hardware area than the existing ones Very low number of gates other than the BC

COFB 12

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Design of COFB AE Security Bounds Properties

Design Rationale and Challenges

COFB: Uses Combined Feedback It needs n bits for storing the BC state It needs k bits for storing the BC key It needs n/2 bits more for masking Each BC input is masked in a similar manner to XEX [7] TBC But here mask is only n/2 bits instead of n Sufficient for standard security bound: thanks to our feedback function

COFB 13

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Design of COFB AE Security Bounds Properties

Benchmarking in Terms of State Size

Rate: Data block/BC calls

Scheme State Size Rate Security Proof COFB 1.5n + k 1 Yes JAMBU [9] 1.5n + k

1 2

Yes (Integrity only) CLOC/ SILC [5, 6] 2n + k

1 2

Yes iFEED [10] 3n + k 1 Yes (Was Wrong)(attack in [8]) OCB [7] 3n + k 1 Yes COLM [2] 3n + k

1 2

Yes

COFB 14

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Design of COFB AE Security Bounds Properties

COFB AE Mode

∆ = EK(N)[n/4+1..3n/4] mask∆(a, b) = αa(1 + α)b∆ (Tweak fn described later) ρ1(y, A) := G · y A ρ(y, M) = (ρ1(y, M), yM) G: Full rank matrix 6= I (ρ, ρ1 described later) For B = A/M

If B 6= λ ^ n divides |B| Then δB = 1 Else δB = 2

Y [4] Y [5] Y [6] EK EK EK X[4] X[6] X[5] M[2] M[3] mask∆(3, δA) mask∆(4, δA) mask∆(4, δA + δM) C[2] C[3] T ρ ρ1 M[1] Y [3] C[1] ρ ρ A[1] A[2] A[3] EK 0n/2 N Y [0] Y [1] Y [2] Y [3] ρ1 mask∆(1, 0) mask∆(2, 0) mask∆(2, δA) EK EK EK X[1] X[3] X[2] ρ1 ρ1 Z[1] Z[2] Z[3] X [1] X [2] X [3]

COFB 15

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Design of COFB AE Security Bounds Properties

Instantiation of COFB AE Mode : COFB-AES

Underlying BC We use AES-128 as the underlying BC n = 128 Mask Function mask - mask is a simple tweak update function ρ1 and ρ Functions ρ1 and ρ Functions - Simple linear feedback functions Last block has a different tweak

COFB 16

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Design of COFB AE Security Bounds Properties

Tweak Function

∆ - 64-bit value derived from encryption of nonce Standard size is 128 bits but 64 bits are sufficient Computed/updated by mask∆(a, b) = αa(1 + α)b.∆ α - primitive element of F264 This idea has been taken from XEX [7] (but masked length is halved) (a, b) 2 [0..L] ⇥ [0..4], L be the message length in blocks

COFB 17

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Design of COFB AE Security Bounds Properties

Linear Feedback Functions ρ1 and ρ

ρ1(y, M) := G · y M and ρ(y, M) = (ρ1(y, M), y M) G : (y1, y2, y3, y4) ! (y2, y3, y4, y4 y1) Gn×n =     I I I I I    

COFB 18

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Design of COFB AE Security Bounds Properties

Security Level for COFB-AES

Security Bound for Privacy Nonce-respecting adversary Almost Birthday Bound of 64 bits for Privacy Security Bound for Authenticity Nonce-respecting adversary Almost Birthday Bound of 64 bits for Authenticity COFB mode is secure upto O( 2n/2

n ) queries (almost birthday

bound with block size n)

COFB 19

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Design of COFB AE Security Bounds Properties

Important Features of COFB AE

Advantages Rate = 1 Very low state size of 1.5n + k (n: state size, k: key size) Very flexible mode (any BC can be used) inverse-free Simple linear feedback Very lightweight and consumes low hardware area Limitations Both the encryption and decryption are completely serial

COFB 20

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

1

Introduction

2

Specification for COFB

3

Hardware Implementation Results of COFB-AES

4

Conclusions

5

References

COFB 21

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Cycles per Byte Performance of COFB-AES

Algorithm Message length (Bytes) 16 32 64 128 256 512 1024 2048 4096 16384 32768 COFB-AES 2.93 2.22 1.86 1.68 1.59 1.54 1.52 1.51 1.50 1.50 1.50

a block AD, m block M cycle count = 12 + 12(a+m) + 11 In this calculation, we assume a = m cpb = cycle count

len

len is length of M in bytes

COFB 22

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Cycles per Byte Performance of COFB-AES

1.5 1.8 2.1 2.4 2.7 3.0 16 32 64 128 256 512 1024 2048 4096 8192 16384 32768

• Message Length →

cpb ↑

COFB 23

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

COFB-AES Base Architecture

064||N State 128 128 128 128 128 128 128 128 AESr Key ρ ∆ tweak 128 T chop 128 64 AD/M 64 ||064 ⊕ ⊕ ⊕ C 128 128 64

COFB 24

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

COFB-AES Base Architecture Properties

Serial processing of data Round-based architecture of AES Processes 128 bits per 12 clock cycles Uses very low storage registers Minimum hardware area among all the known implementations No pipelined register

COFB 25

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

FSM for COFB-AES Base Architecture

AES Module FSM

Roundctr< 10 Else, EOM, isComplete Roundctr= 10 Start Reset St Load St AES Reset St AES Start St AES Round St AES Done St Release Tag St End St Compute ρ Add Mask St If Final Block

COFB 26

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

COFB-AES FPGA Implementation

Informations VHDL, Platform - Virtex 6, 7 Under Xilinx 13.4 Not compatible with GMU’s ATHENa interface [1] Base Implementation Results

Platform # Slice Registers # LUTs # Slices Frequency (MHZ) Gbps Mbps/ LUT Mbps/ Slice Virtex 6 722 1075 442 267.20 2.85 2.24 6.45 Virtex 7 722 1456 555 264.24 2.82 2.22 5.08

COFB 27

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Benchmarking of COFB-AES on Virtex 6

Scheme #LUT #Slices Gbps Mbps / LUT Mbps / Slices ACORN (SC Based) 455 135 3.112 6.840 23.052 PRIMATES-HANUMAN (Sponge) 1012 390 0.964 0.953 2.472 COFB-AES 1075 442 2.850 2.240 6.450 JAMBU-SIMON (BC Based) 1222 453 0.363 0.297 0.801 Ketje (Sponge) 1270 456 7.345 5.783 16.107 ASCON (Sponge) 1271 413 3.172 2.496 7.680 Joltik (TBC Based) 1292 442 0.853 0.660 0.826 JAMBU-AES (BC Based) 1836 652 1.999 1.089 3.067 SCREAM (TBC Based) 2052 834 1.039 0.506 1.246 NORX (Sponge) 2964 1016 11.029 3.721 10.855 TriviA-ck (SC Based) 2118 687 15.374 7.259 22.378 Minalpher (BC Based) 2879 1104 1.831 0.636 1.659 SILC (BC Based) 3066 921 4.040 1.318 4.387 DEOXYS (TBC Based) 3143 951 2.793 0.889 2.937 CLOC (BC Based) 3145 891 2.996 0.488 1.724 AES-GCM (BC Based) 3175 1053 3.239 1.020 3.076 OCB (BC Based) 4249 1348 3.122 0.735 2.316 ELmD (BC Based) 4302 1584 3.168 0.736 2.091 AEZ (BC Based) 4597 1246 8.585 0.747 2.756 AES-OTR (BC Based) 5102 1385 2.741 0.537 1.979 Tiaoxin (BC Based) 7123 2101 52.838 7.418 25.149 AEGIS (BC Based) 7592 2028 70.927 9.342 34.974 AES-COPA (BC Based) 7754 2358 2.500 0.322 1.060

COFB 28

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

1

Introduction

2

Specification for COFB

3

Hardware Implementation Results of COFB-AES

4

Conclusions

5

References

COFB 29

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Conclusion

COFB : BC based AE Secure up to O(2n/2/n) queries Low area AE and can be used in low resource embedded devices

COFB 30

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

1

Introduction

2

Specification for COFB

3

Hardware Implementation Results of COFB-AES

4

Conclusions

5

References

COFB 31

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

ATHENa: Automated Tool for Hardware Evaluation. https://cryptography.gmu.edu/athena/. Elena Andreeva, Andrey Bogdanov, Nilanjan Datta, Atul Luykx, Bart Mennink, Mridul Nandi, Elmar Tischhauser, and Kan Yasuda. COLM v1. CAESAR Competition. Mihir Bellare. AUTHENTICATED ENCRYPTION. https://cseweb.ucsd.edu/~mihir/cse207/s-ae.pdf. Mihir Bellare and Chanathip Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm.

COFB 31

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

In Advances in Cryptology - ASIACRYPT 2000, 6th International Conference on the Theory and Application of Cryptology and Information Security, Kyoto, Japan, December 3-7, 2000, Proceedings, pages 531–545, 2000. Tetsu Iwata, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi. CAESAR Candidate CLOC. DIAC 2014. Tetsu Iwata, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi. CAESAR Candidate SILC. DIAC 2014. Phillip Rogaway. Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC.

COFB 31

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

In ASIACRYPT, pages 16–31, 2004. Willem Schro´ e, Bart Mennink, Elena Andreeva, and Bart Preneel. Forgery and subkey recovery on CAESAR candidate ifeed. In Selected Areas in Cryptography - SAC 2015 - 22nd International Conference, Sackville, NB, Canada, August 12-14, 2015, Revised Selected Papers, pages 197–204, 2015. Hongjun Wu and Tao Huang. The JAMBU Lightweight Authentication Encryption Mode (v2). CAESAR Competition. Liting Zhang, Wenling Wu, Han Sui, and Peng Wang. iFeed[AES] v1. CAESAR Competition.

COFB 32

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References

Thank you

COFB 32