breaking and repairing gcm security proofs
play

Breaking and Repairing GCM Security Proofs Tetsu Iwata, Nagoya - PowerPoint PPT Presentation

Jul 15, 2023 •116 likes •414 views

Breaking and Repairing GCM Security Proofs Tetsu Iwata, Nagoya University Keisuke Ohashi, Nagoya University Kazuhiko Minematsu, NEC Corporation CRYPTO 2012 August 20, 2012, Santa Barbara, USA GCM Galois/Counter Mode authenticated encryption

  1. Breaking and Repairing GCM Security Proofs Tetsu Iwata, Nagoya University Keisuke Ohashi, Nagoya University Kazuhiko Minematsu, NEC Corporation CRYPTO 2012 August 20, 2012, Santa Barbara, USA

  2. GCM • Galois/Counter Mode • authenticated encryption mode of 128 ‐ bit blockciphers • designed by McGrew and Viega in 2004 [MV04] • selected as the NIST recommended authenticated encryption mode in 2007 • widely used in practice – ISO/IEC 19772, IEEE P1619.1, NSA Suite B, IETF IPsec, SSH, SSL,… [MV04] David A. McGrew and John Viega: The Security and Performance of the Galois/Counter Mode (GCM) of Operation. Cryptology ePrint Archive: Report 2004/193 (full version of INDOCRYPT 2004) 2

  3. Encryption Algorithm of GCM input: output: K: blockcipher key C: ciphertext N: nonce T: tag A: associated data M: plaintext E K : Blockcipher GHASH L : Universal hash L=E K (0 n ), ε : empty string n = 128 (block size) 3

  4. Provable Security Results • The designers proved the security of GCM [MV04] • analyzed privacy and authenticity against chosen ciphertext attacks • Privacy bound: – – Ciphertexts of GCM are indistinguishable from random strings 4

  5. Provable Security Results • Authenticity bound: – – GCM is unforgeable 5

  6. Previous Security Analyses • [Ferguson ’05] – forgery attacks when the tag is short • [Joux ’06] – key recovery attacks on GCM (nonce reuse), forgery attacks on the draft NIST version of GCM • [Handschuh, Preneel ’08] – a weak key, forgery attacks • [Saarinen ’12] – many weak keys, forgery attacks 6

  7. Previous Security Analyses • It is widely considered that the provable security results of GCM are sound – in the sense that these attacks do not contradict the claimed security bounds, and that no flaw in the proofs has been identified – show the tightness of the security bounds – outside the security model (e.g., nonce reuse) 7

  8. Equation Over GF(2 128 ) • defined by the irreducible polynomial p(x) = 1+x+x 2 +x 7 +x 128 (used in GCM) • the multiplicative identity element is 0x80…0 (10…0 in binary) U ∙ L 2 ⊕ V ∙ L ⊕ 0x0…01 = U’ ∙ L 2 ⊕ V ∙ L U = 0x00000000 00000000 02000000 00000000 (128 bits) U’= 0x00000000 00000000 06000000 00000000 (128 bits) V = 0x00000000 00000000 00000000 00000048 (128 bits) • How many solutions (in L) do we have? 8

  9. Equation Over GF(2 128 ) • defined by the irreducible polynomial p(x) = 1+x+x 2 +x 7 +x 128 (used in GCM) • the multiplicative identity element is 0x80…0 (10…0 in binary) U ∙ L 2 ⊕ V ∙ L ⊕ 0x0…01 = U’ ∙ L 2 ⊕ V ∙ L U = 0x00000000 00000000 02000000 00000000 (128 bits) U’= 0x00000000 00000000 06000000 00000000 (128 bits) V = 0x00000000 00000000 00000000 00000048 (128 bits) • How many solutions (in L) do we have? – at most 2 solutions (actually one solution) 9

  10. Increment Function in GCM • inc( X || Y ) = X || (Y+1 mod 2 32 ) – |X| = 96, |Y|=32 – inc( 0x0…01 ) = 0x0…02 U ∙ L 2 ⊕ V ∙ L ⊕ 0x0…01 = U’ ∙ L 2 ⊕ V ∙ L inc( U ∙ L 2 ⊕ V ∙ L ) = U’ ∙ L 2 ⊕ V ∙ L • How many solutions (in L) do we have? – Note: LHS may not be a degree 2 polynomial over GF(2 128 ) 10

  11. List of Solutions 0x7f6db6d2db6db6db6db6db6492492492, 0x7f6db6dadb6db6db6db6db6492492492, 0x81b6db776db6db6db6db6dadb6db6db6, 0x81b6db676db6db6db6db6dadb6db6db6, 0xbe00003c000000000000003fffffffff, 0xbe00001c000000000000003fffffffff, 0xc16db6aadb6db6db6db6db1b6db6db6d, 0xc16db6eadb6db6db6db6db1b6db6db6d, 0x3fb6db876db6db6db6db6d5249249249, 0x3fb6db076db6db6db6db6d5249249249, 0x000001dc00000000000001c000000000, 0x000000dc00000000000001c000000000, 0x7f6db56adb6db6db6db6d8e492492492, 0x7f6db76adb6db6db6db6d8e492492492, 0x81b6dc076db6db6db6db6aadb6db6db6, 0x81b6d8076db6db6db6db6aadb6db6db6, 0xbe000edc0000000000000e3fffffffff, 0xbe0006dc0000000000000e3fffffffff, 0xc16dab6adb6db6db6db6c71b6db6db6d, 0xc16dbb6adb6db6db6db6c71b6db6db6d, 0x3fb6e0076db6db6db6db555249249249, 0x3fb6c0076db6db6db6db555249249249, 0x000076dc00000000000071c000000000, 0x000036dc00000000000071c000000000, 0x7f6d5b6adb6db6db6db638e492492492, 0x7f6ddb6adb6db6db6db638e492492492, 0x81b700076db6db6db6daaaadb6db6db6, 0x81b600076db6db6db6daaaadb6db6db6, 0xbe03b6dc0000000000038e3fffffffff, 0xbe01b6dc0000000000038e3fffffffff, 0xc16adb6adb6db6db6db1c71b6db6db6d, 0x00000004000000000000000000000000 • Answer: 32 solutions 11

  12. Counter Collision |N|, |N’| � 96 • A counter collision is a bad event: I[1] = I’[1], I[2] = I’[1], … – xor of two ciphertexts = xor of two plaintexts – the information about plaintexts is leaked • We need to show that Pr L [ Coll L (r, N, N’) ] is small – Coll L (r, N, N’): inc r ( GHASH L ( ε , N) ) = GHASH L ( ε , N’) 12

  13. GHASH L ( ε , N) • universal hash function • N || 0…0 || |N| n = ( X[1],…,X[x] ) • GHASH L ( ε , N) = X[1] ∙ L x ⊕ X[2] ∙ L x ‐ 1 ⊕ … ⊕ X[x] ∙ L • N = 0x00000000 00000000 02 (72 bits) • GHASH L ( ε , N) = 0x00000000 00000000 02000000 00000000 ∙ L 2 ⊕ 0x00000000 00000000 00000000 00000048 ∙ L = U ∙ L 2 ⊕ V ∙ L • N’ = 0x00000000 00000000 06 (72 bits) • GHASH L ( ε , N’) = U’ ∙ L 2 ⊕ V ∙ L 13

  14. Pr L [ Coll L (r, N, N’) ] Is Small • [Lemma 3, MV04] Pr L [ Coll L (r, N, N’) ] ≤ max{ d, d’ } / 2 n where d = deg( GHASH L ( ε , N) ), d’ = deg( GHASH L ( ε , N’) ) • The lemma claims “inc( U ∙ L 2 ⊕ V ∙ L ) = U’ ∙ L 2 ⊕ V ∙ L has at most 2 solutions.” 14

  15. Pr L [ Coll L (r, N, N’) ] Is Small • [Lemma 3, MV04] Pr L [ Coll L (r, N, N’) ] ≤ max{ d, d’ } / 2 n where d = deg( GHASH L ( ε , N) ), d’ = deg( GHASH L ( ε , N’) ) • The lemma claims “inc( U ∙ L 2 ⊕ V ∙ L ) = U’ ∙ L 2 ⊕ V ∙ L has at most 2 solutions.” • [Lemma 3, MV04] is incorrect – used in both the privacy proof and the authenticity proof – both proofs contain a flaw 15

  16. More Observation inc( U ∙ L 2 ⊕ V ∙ L ) = U’ ∙ L 2 ⊕ V ∙ L (A) inc 2 ( U ∙ L 2 ⊕ V ∙ L ) = U’ ∙ L 2 ⊕ V ∙ L (B) inc 4 ( U ∙ L 2 ⊕ V ∙ L ) = U’ ∙ L 2 ⊕ V ∙ L (C) inc 0 ( U ∙ L 2 ⊕ V ∙ L ) = U’ ∙ L 2 ⊕ V ∙ L (D) • Number of solutions – (A): 32, (B): 31, (C): 30, (D): 1 • 94 solutions are all distinct • Pr L [ (A) or (B) or (C) or (D) ] � 94/2 128 16

  17. Distinguishing Attack • The observation can be translated into a distinguishing attack on GCM[Rand(n), � ]: GCM with a random function R (instead of E K ) – by simply observing if the event occurs in ciphertexts GCM[Rand(n), � ] (A) � 94/2 128 – Adv priv • The attack does not contradict the overall privacy bound, but it invalidates a part of it – GCM[Rand(n), � ] (A) � 80/2 128 – The second term: Adv priv 17

  18. Remarks • The attack does not break GCM – Our attack does not contradict the overall privacy bound – it invalidates only a part of it – the attack also invalidates a part of the authenticity bound • The success probability of the attack is small – The practical implication is limited • The attack does not work if the nonce length is restricted to 96 bits (required or recommended by many standards mainly for efficiency reasons) 18

  19. Can We Repair the Proofs? • without modifying the original specification • Pr L [ Coll L (r, N, N’) ] � ? – introduce a combinatorial problem – relation to the proof – approaches to solve the problem – new privacy and authenticity bounds 19

  20. Combinatorial Problem Y r = { (Y + r mod 2 32 ) ⊕ Y | Y is in {0,1} 32 } α r = # Y r problem: determine α max = max{ α r | 0 ≤ r ≤ 2 32 ‐ 1} r 32 Y + r mod 2 32 Y 32 Y Y α r = the number of possible non ‐ zero xor differences of Y + r mod 2 32 and Y when Y ranges over {0,1} 32 20

  21. Relation to the Proof • Coll L (r, N, N’): inc r ( GHASH L ( ε , N) ) = GHASH L ( ε , N’) • if we can replace inc r ( GHASH L ( ε , N) ) by GHASH L ( ε , N) ⊕ C, then we can derive the upper bound on Pr L [ Coll L (r, N, N’) ] GHASH L ( ε , N) ⊕ C = GHASH L ( ε , N’) (*) • but C depends on r and GHASH L ( ε , N) • α r = #{ (Y + r mod 2 32 ) ⊕ Y | Y is in {0,1} 32 } represents the number of possibilities of C • For each C, we know the number of solutions of (*) 21

  22. Relation to the Proof • Towards a new version of [Lemma 3, MV04] • Lemma For each 0 ≤ r ≤ 2 32 ‐ 1 Pr L [ Coll L (r, N, N’) ] ≤ α r max{ d, d’ } / 2 n where d = deg( GHASH L ( ε , N) ), d’ = deg( GHASH L ( ε , N’) ) • For any 0 ≤ r ≤ 2 32 ‐ 1 Pr L [ Coll L (r, N, N’) ] ≤ α max max{ d, d’ } / 2 n 22

  23. Approaches to Solve the Problem • Make use of tools for the analysis of S ‐ functions [Mouha, et al. ’11, Leurent, ’12] • Our solution: – a recursive formula to compute α r – Proposition if s ℓ = 0, then A ℓ = t ℓ A ℓ‐ 1 + B ℓ‐ 1 if s ℓ ≥ 1, then A ℓ = s ℓ B ℓ + A ℓ‐ 1 where B j = t j A j ‐ 1 + B j ‐ 1 for 0 < j ≤ ℓ , A j = s j B j + A j ‐ 1 for 0 < j ≤ ℓ‐ 1, A 0 = 1, and B 0 = 0 – can be used to efficiently compute α r 23

  24. Graph of α r α r shows only if α 0 , α 1 ,…, α r ‐ 1 < α r r 24

  25. Graph of α r 2 22 α r shows only if α 0 , α 1 ,…, α r ‐ 1 < α r r 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
CRASH AND PAY Cloning and Fuzzing the NFC world. PAYMENT SECURITY CONSULTING 1 WWW.PSCCO.COM.AU

CRASH AND PAY Cloning and Fuzzing the NFC world. PAYMENT SECURITY CONSULTING 1 WWW.PSCCO.COM.AU

CRASH AND PAY Cloning and Fuzzing the NFC world. PAYMENT SECURITY CONSULTING 1 WWW.PSCCO.COM.AU 15/09/2014 ABOUT ME Principle Consultant at Payment Security Consulting Banking, Payments, Certifications, breaking stuff; repairing

867 views • 52 slides
Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides
Repairing HTTP authn. for Web security - HTTP Mutual authentication proposal - Yutaka OIWA (AIST

Repairing HTTP authn. for Web security - HTTP Mutual authentication proposal - Yutaka OIWA (AIST

Repairing HTTP authn. for Web security - HTTP Mutual authentication proposal - Yutaka OIWA (AIST Japan) May 25, 2011 W3C Workshop on Identity in the Browser Some Keywords yesterday and today You can't get there from here directly

322 views • 13 slides
Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
Apache Security - I m proving the security of your w eb server by breaking into it Sebastian

Apache Security - I m proving the security of your w eb server by breaking into it Sebastian

Risk Advisory Services Apache Security - I m proving the security of your w eb server by breaking into it Sebastian Wolfgarten, 21C3, December 2004 sebastian.wolfgarten@de.ey.com 1 Berlin, Germany - 29.12.2004 Agenda Preface

697 views • 41 slides
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire dInformatique Ecole Normale Sup erieure 45, rue dUlm 75230 PARIS CEDEX 05 Security Proofs for

588 views • 12 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Cryptography Game-based Proofs Assumptions BF IB-Encryption Conclusion Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs Introduction Provable Security David Pointcheval 2 Game-based Methodology

722 views • 10 slides
Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech - Jean-Louis Roch Master-2 Security, Cryptology and Coding of Information Systems ENSIMAG/Grenoble-INP UJF Grenoble University, France Security Models,

396 views • 20 slides
How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a

How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a

How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a security system Paradox security system 16.11.2018. IT-SECX 2018, Austria Author Lead researcher at Possible Security, Latvia Hacking and

700 views • 29 slides
CORE SECURITY Breaking Out of VirtualBox through 3D Acceleration Francisco Falcon (@fdfalcon)

CORE SECURITY Breaking Out of VirtualBox through 3D Acceleration Francisco Falcon (@fdfalcon)

CORE SECURITY Breaking Out of VirtualBox through 3D Acceleration Francisco Falcon (@fdfalcon) REcon 2014 P A G E About me Exploit writer for Core Security. From Argentina. Interested in the usual stuff: reverse engineering,

1.17k views • 94 slides
Xenpwn Breaking Paravirtualized Devices Felix Wilhelm www.ernw.de #wh whoami Security

Xenpwn Breaking Paravirtualized Devices Felix Wilhelm www.ernw.de #wh whoami Security

Xenpwn Breaking Paravirtualized Devices Felix Wilhelm www.ernw.de #wh whoami Security Researcher @ ERNW Research Application and Virtualization Security Recent Research Security Appliances (Fireeye, Palo Alto) Hypervisors

908 views • 53 slides
Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian

Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian

History of WCS Outline Known Security Analysis Our Works Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian Statistical Institute, Kolkata CRYPTO 2018 History of WCS Outline Known Security Analysis Our

834 views • 57 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
The Pumping Lemma Definition: A language that cannot be defined by a regular expression is a

The Pumping Lemma Definition: A language that cannot be defined by a regular expression is a

Chapter 10: Nonregular Languages Peter Cappello Department of Computer Science University of California, Santa Barbara Santa Barbara, CA 93106 cappello@cs.ucsb.edu The corresponding textbook chapter should be read before attending this

348 views • 14 slides
A. V. Geramita and E. Carlini asked that their slides be combined into a single file, since their

A. V. Geramita and E. Carlini asked that their slides be combined into a single file, since their

A. V. Geramita and E. Carlini asked that their slides be combined into a single file, since their talks were meant to be taken as parts 1 and 2 of a single presentation. . Solution to Waringss Problem for Monomials - I M.V. Catalisano, E.

445 views • 28 slides
Distributed Power Management under Limited Communication Na Li Harvard University Rutgers,

Distributed Power Management under Limited Communication Na Li Harvard University Rutgers,

Distributed Power Management under Limited Communication Na Li Harvard University Rutgers, 08/22/2017 Acknowledgment : Harvard Univ : Guannan Qu, Chinwendu Enyioha, Vahid Tarokh KTH : Sindri Magnusson, Carlo Fishchione Caltech: Steven Low NREL:

1.11k views • 87 slides
The Rokhlin dimension of topological Z m -actions The structure and classification of nuclear

The Rokhlin dimension of topological Z m -actions The structure and classification of nuclear

The Rokhlin dimension of topological Z m -actions The structure and classification of nuclear C*-algebras G abor Szab o WWU M unster April 2013 1 / 22 Main result Today, I would like to convince you of the following: Theorem Let X

612 views • 57 slides
ARIMA and ARFIMA models Christopher F Baum EC 823: Applied Econometrics Boston College, Spring

ARIMA and ARFIMA models Christopher F Baum EC 823: Applied Econometrics Boston College, Spring

ARIMA and ARFIMA models Christopher F Baum EC 823: Applied Econometrics Boston College, Spring 2013 Christopher F Baum (BC / DIW) ARIMA and ARFIMA models Boston College, Spring 2013 1 / 61 ARIMA and ARMAX models ARIMA and ARMAX models The

645 views • 61 slides
Automating the Local Adaptation of Illumination in Analytical Relief Shading Brooke Marston, Oregon

Automating the Local Adaptation of Illumination in Analytical Relief Shading Brooke Marston, Oregon

Automating the Local Adaptation of Illumination in Analytical Relief Shading Brooke Marston, Oregon State University Adviser: Dr. Bernhard Jenny, Oregon State University ICA Mountain Cartography Workshop, Banff, Canada April 24, 2014 Relief Shading

422 views • 38 slides
Lightweight Unsupervised Domain Adaptation by Convolutional Filter Reconstruction Rahaf Aljundi,

Lightweight Unsupervised Domain Adaptation by Convolutional Filter Reconstruction Rahaf Aljundi,

Lightweight Unsupervised Domain Adaptation by Convolutional Filter Reconstruction Rahaf Aljundi, Tinne Tuytelaars Unsupervised Domain Adaptation When you expect the test data (Target) to be different from your training data (Source) DA in the

683 views • 39 slides
2002 Operations Workshop 2002 Operations Workshop 12 June 2005 Agenda Maintaining Readiness

2002 Operations Workshop 2002 Operations Workshop 12 June 2005 Agenda Maintaining Readiness

1 2002 Operations Workshop 2002 Operations Workshop 12 June 2005 Agenda Maintaining Readiness Communication in Troubled Times Harbor Patrols - The Auxiliary Challenge of 2001 &amp; Beyond Things that Go Bump in the Night Team Coordination

598 views • 30 slides

More recommend