COBRA: A Parallelizable Authenticated Online Cipher without Block - - PowerPoint PPT Presentation

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse1

Atul Luykx

COSIC KU Leuven and iMinds

March 3, 2014

1Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23

Overview

COBRA

1 Misuse resistance 2 Online 3 GCM-like efficiency 4 No block cipher inverse 5 Security reduction to block cipher

2 / 23

Background: Misuse Resistance

Nonces cannot always be guaranteed unique:

1 Flawed implementations 2 Reset during backup 3 State of virtual machine copied

3 / 23

Background: Misuse Resistance

Nonces cannot always be guaranteed unique:

1 Flawed implementations 2 Reset during backup 3 State of virtual machine copied

SIV (’06, Rogaway and Shrimpton), BTM (’09, Iwata and Yasuda), HBS (’09, Iwata and Yasuda)

3 / 23

Background: Misuse Resistance

Nonces cannot always be guaranteed unique:

1 Flawed implementations 2 Reset during backup 3 State of virtual machine copied

SIV (’06, Rogaway and Shrimpton), BTM (’09, Iwata and Yasuda), HBS (’09, Iwata and Yasuda)

1 High latency (receive full message before first output) 2 Storage issues (large internal state)

3 / 23

Background: Misuse Resistance

Nonces cannot always be guaranteed unique:

1 Flawed implementations 2 Reset during backup 3 State of virtual machine copied

SIV (’06, Rogaway and Shrimpton), BTM (’09, Iwata and Yasuda), HBS (’09, Iwata and Yasuda)

1 High latency (receive full message before first output) 2 Storage issues (large internal state)

⇒ We want online schemes

3 / 23

Background: Online Scheme

M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4] T

Dependency in SIV, HBS, BTM.

4 / 23

Background: Online Scheme

M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4] T

Dependency in SIV, HBS, BTM.

M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4] T

Dependency in an online AE scheme.

4 / 23

Background: Online Nonce Misuse

M M1 M M2 M′ C1 C∗

1

C2 C∗

2

C3 T1 T2 T3

N1 , K N2 , K N3 , K

5 / 23

Background: Online Nonce Misuse

M M1 M M2 M′ C1 C∗

1

C2 C∗

2

C3 T1 T2 T3

N, K N, K N, K

5 / 23

Background: Online Nonce Misuse

M M1 M M2 M′ C C∗

1

C C∗

2

C′ T1 T2 T3

N, K N, K N, K

5 / 23

Background: Online Nonce Misuse

M M1 M M2 M′ C C∗

1

C C∗

2

C′ T1 T2 T3

N, K N, K N, K

1 Equality of prefixes of messages determined

5 / 23

Background: Online Nonce Misuse

M M1 M M2 M′ C C∗

1

C C∗

2

C′ T1 T2 T3

N, K N, K N, K

1 Equality of prefixes of messages determined 2 No relationship past common prefix

5 / 23

Background: GCM not Misuse Resistant

CTRK GHASHK

GCM

N, M C, T

6 / 23

Background: GCM not Misuse Resistant

CTRK GHASHK

GCM

N, M C, T +

6 / 23

Overview

COBRA:

1 Misuse resistance 2 Online 3 GCM-like efficiency 4 No block cipher inverse 5 Security reduction to block cipher

7 / 23

Overview

COBRA:

1 Misuse resistance 2 Online 3 GCM-like efficiency 4 No block cipher inverse 5 Security reduction to block cipher

7 / 23

Motivation: Overview of Some Online Schemes

McOE-G 2 4 6 8

8.9

cycles per byte – lower is better

Figure : Sandy Bridge with AES-NI2

2References: Gueron DIAC 2013 and Andreeva et al. Asiacrypt 2013. 8 / 23

Motivation: Overview of Some Online Schemes

McOE-G COPA 2 4 6 8

8.9 2.06

cycles per byte – lower is better

Figure : Sandy Bridge with AES-NI2

2References: Gueron DIAC 2013 and Andreeva et al. Asiacrypt 2013. 8 / 23

Motivation: Overview of Some Online Schemes

McOE-G GCM COPA 2 4 6 8

8.9 2.06 2.55

cycles per byte – lower is better Misuse Resistant Nonce Dependent

Figure : Sandy Bridge with AES-NI2

2References: Gueron DIAC 2013 and Andreeva et al. Asiacrypt 2013. 8 / 23

Motivation: Overview of Some Online Schemes

McOE-G GCM COPA OCB 2 4 6 8

8.9 2.06 2.55 0.98

cycles per byte – lower is better Misuse Resistant Nonce Dependent

Figure : Sandy Bridge with AES-NI2

2References: Gueron DIAC 2013 and Andreeva et al. Asiacrypt 2013. 8 / 23

Motivation

Can we close the gap in efficiency between nonce dependent and misuse resistant schemes?

9 / 23

Motivation: Misuse Resistance From OCB?

M[1] M[2] M[3] M[4]

α1

C[1]

α2

C[2]

α3

C[3]

α4

C[4]

10 / 23

Motivation: Misuse Resistance From OCB?

M[1] M[2] M[3] M[4]

α1

C[1]

α2

C[2]

α3

C[3]

α4

C[4] M ′[1] M ′[2] M ′[3] M ′[4]

β1

C′[1]

β2

C′[2]

β3

C′[3]

β4

C′[4]

10 / 23

Motivation: Misuse Resistance From OCB?

M[1] M[2] M[3] M[4]

α1

C[1]

α2

C[2]

α3

C[3]

α4

C[4] M ′[1] M ′[2] M ′[3] M ′[4]

α1

C′[1]

α2

C′[2]

α3

C′[3]

α4

C′[4]

10 / 23

Motivation: Misuse Resistance From OCB?

M[1] M[2] M[3] M[4]

α1

C[1]

α2

C[2]

α3

C[3]

α4

C[4] M ′[1] M ′[2] M[3]′ M ′[4]

α1

C′[1]

α2

C′[2]

α3

C[3]

α4

C′[4]

10 / 23

Motivation: Misuse Resistance From OCB?

M[1] M[2] M[3] M[4]

α1

C[1]

α2

C[2]

α3

C[3]

α4

C[4] M ′[1] M ′[2] M[3]′ M ′[4]

α1

C′[1]

α2

C′[2]

α3

C[3]

α4

C′[4]

10 / 23

Motivation: Misuse Resistance From OCB?

M[1] M[2] M[3] M[4]

α1

C[1]

α2

C[2]

α3

C[3]

α4

C[4]

1 Dependency upon previous message blocks 2 Function using only key 3 No collisions between different messages

⇒ Universal hash

10 / 23

Motivation: Nonce Dependent Versus Misuse Resistant

Difference in efficiency: at least efficiency of universal hash

11 / 23

Motivation: Universal Hash in AE

Sandy Bridge Ivy Bridge Haswell 1 2 3

2.53 2.53 1.03

Cycles per byte – lower is better

Figure : GCM with AES-NI. Results Gueron DIAC 2013.

12 / 23

Motivation: Universal Hash in AE

Sandy Bridge Ivy Bridge Haswell 1 2 3

2.52 2.52 1.03 1.79 1.79 0.4

Cycles per byte – lower is better GHASH AES-CTR

Figure : GCM with AES-NI. Results Gueron DIAC 2013.

12 / 23

Overview

COBRA:

1 Misuse resistance 2 Online 3 GCM-like efficiency 4 No block cipher inverse 5 Security reduction to block cipher

13 / 23

Overview

COBRA:

1 Misuse resistance 2 Online 3 GCM-like efficiency 1 One multiplication per block 2 One block cipher call per block 3 Parallelizable 4 No block cipher inverse 5 Security reduction to block cipher

13 / 23

Motivation: How To Add Authenticity?

M[1] M[2] M[3] M[4] +

α1

C[1] +

α2

C[2] +

α3

C[3] +

α4

C[4]

L

× × ×

L L L

14 / 23

Motivation: How To Add Authenticity?

M[1] M[2] M[3] M[4] +

α1

C[1] +

α2

C[2] +

α3

C[3] +

α4

C[4]

L

× × ×

L L L δ M[1] ⊕ M[2] ⊕ M[3] ⊕ M[4] T

14 / 23

Motivation: How To Add Authenticity?

M[1] M[2] M[3] M[4] +

α1

C[1] +

α2

C[2] +

α3

C[3] +

α4

C[4]

L

× × ×

L L L δ M[1] ⊕ M[2] ⊕ M[3] ⊕ M[4] T

14 / 23

Motivation: ManTiCore, Beaver et al. ACISP ’04

α1 β1 γ1 δ1 α2 β2 γ2 δ2 + + + + + + + + M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4] αi, βi, γi, δi: uniform random functions (URF)

15 / 23

Motivation: ManTiCore, Beaver et al. ACISP ’04

α1 β1 γ1 δ1 α2 β2 γ2 δ2 + + + + + + + + M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4] ρ1 σ1 ρ2 σ2 αi, βi, γi, δi: uniform random functions (URF)

15 / 23

Motivation: ManTiCore, Beaver et al. ACISP ’04

α1 β1 γ1 δ1 α2 β2 γ2 δ2 η ρ1 ⊕ ρ2 ⊕ σ1 ⊕ σ2 T + + + + + + + + M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4] ρ1 σ1 ρ2 σ2 αi, βi, γi, δi: uniform random functions (URF)

15 / 23

Overview

COBRA:

1 Misuse resistance 2 Online 3 GCM-like efficiency 1 One multiplication per block 2 One block cipher call per block 3 Parallelizable 4 No block cipher inverse 5 Security reduction to block cipher

16 / 23

Building A Scheme: Starting Point

β1 γ1 β2 γ2 β3 γ3 + + + + + + M[1] M[2] M[3] M[4] M[5] M[6] C[1] C[2] C[3] C[4] C[5] C[6] βi, γi: uniform random functions (URF)

17 / 23

Building A Scheme: Starting Point

β1 γ1 β2 γ2 β3 γ3 + + + + + + M[1] M[2] M[3] M[4] M[5] M[6] C[1] C[2] C[3] C[4] C[5] C[6] βi, γi: uniform random functions (URF)

17 / 23

Building A Scheme: Starting Point

β1 γ1 β2 γ2 β3 γ3 + + + + + + M[1] M[2] M[3] M[4] M[5] M[6] C[1] C[2] C[3] C[4] C[5] C[6] βi, γi: uniform random functions (URF)

17 / 23

Building A Scheme: Adding Dependency

β1 γ1 β2 γ2 β3 γ3 + + + + + + + + + + + + M[1] M[2] M[3] M[4] M[5] M[6] C[1] C[2] C[3] C[4] C[5] C[6] × × × × × + L2 L L L L L N · L βi, γi: URFs L: secret value derived from the key N: nonce

18 / 23

Building A Scheme: Adding Dependency

β1 γ1 β2 γ2 β3 γ3 + + + + + + + + + + + + M[1] M[2] M[3] M[4] M[5] M[6] C[1] C[2] C[3] C[4] C[5] C[6] × × × × × σ1 σ2 σ3 ρ1 ρ2 ρ3 + L2 L L L L L N · L βi, γi: URFs L: secret value derived from the key N: nonce

18 / 23

Building A Scheme: Adding Authenticity

ρ1 ⊕ ρ2 ⊕ ρ3 ⊕ σ1 ⊕ σ2 ⊕ σ3 δ1 + N δ2 T ρi, σi: outputs of URFs δi: URFs N: nonce

19 / 23

Our Scheme: COBRA

Ek Ek Ek Ek Ek Ek + + + + + + + + + + + + + + + + + + 20L′ 20L′ L 21L′ 21L′ L 22L′ 22L′ L M[1] M[2] M[3] M[4] M[5] M[6] C[1] C[2] C[3] C[4] C[5] C[6] × × × × × σ1 σ2 σ3 ρ1 ρ2 ρ3 + L2 L L L L L N · L L := Ek(0), L′ = 4L ρ1 ⊕ ρ2 ⊕ ρ3 ⊕ σ1 ⊕ σ2 ⊕ σ3 + Ek + N Ek T 3(22L′ ⊕ L) 32(22L′ ⊕ L)

20 / 23

Our Scheme: COBRA

Ek Ek Ek Ek Ek Ek + + + + + + + + + + + + + + + + + + 20L′ 20L′ L 21L′ 21L′ L 22L′ 22L′ L M[1] M[2] M[3] M[4] M[5] M[6] C[1] C[2] C[3] C[4] C[5] C[6] × × × × × σ1 σ2 σ3 ρ1 ρ2 ρ3 + L2 L L L L L N · L ρ1 ⊕ ρ2 ⊕ ρ3 ⊕ σ1 ⊕ σ2 ⊕ σ3 + Ek + N ⊕ U Ek T 3(22L′ ⊕ L) 32(22L′ ⊕ L) U Ek + + × + × + × + J A[1] A[2] A[3] A[4]10∗ J J J 2J J := Ek(1), L := Ek(0), L′ = 4L

20 / 23

Proof Idea

1 Switch to URFs (at minimal

cost)

Ek Ek + + + + + + 20L′ 20L′ L M[2ℓ − 1] M[2ℓ] C[2ℓ − 1] C[2ℓ] × σℓ ρℓ · · · L

21 / 23

Proof Idea

1 Switch to URFs (at minimal

cost)

βℓ γℓ + + + + M[2ℓ − 1] M[2ℓ] C[2ℓ − 1] C[2ℓ] × σℓ ρℓ · · · L

21 / 23

Proof Idea

1 Switch to URFs (at minimal

cost)

2 Collisions prevented by

universal hash

βℓ γℓ + + + + M[2ℓ − 1] M[2ℓ] C[2ℓ − 1] C[2ℓ] × σℓ ρℓ · · · L

21 / 23

Proof Idea

1 Switch to URFs (at minimal

cost)

2 Collisions prevented by

universal hash ⇒ outputs are uniform and independent

βℓ γℓ + + + + M[2ℓ − 1] M[2ℓ] C[2ℓ − 1] C[2ℓ] × σℓ ρℓ · · · L

21 / 23

Proof Idea

1 Switch to URFs (at minimal

cost)

2 Collisions prevented by

universal hash ⇒ outputs are uniform and independent ⇒ No relation between block cipher outputs makes forgery difficult

βℓ γℓ + + + + M[2ℓ − 1] M[2ℓ] C[2ℓ − 1] C[2ℓ] × σℓ ρℓ · · · L

21 / 23

High Level Comparison With Other Misuse Resistant Schemes

Scheme Year No BC Inverse Parallelizable Online 2 BC SIV 2006 ✓ ✗ ✗ COPA 2013 ✗ ✓ ✓ BC + UH HBS 2009 ✗ ✓ ✗ BTM 2009 ✓ ✓ ✗ McOE-G 2011 ✗ ✗ ✓ COBRA 2014 ✓ ✓ ✓

Table : Comparing misuse resistant AE modes of operation. BC := block cipher, UH := universal hash

22 / 23

Summary and Future Work

COBRA:

1 Misuse resistance 2 Online 3 GCM-like efficiency 1 One multiplication per block 2 One block cipher call per block 3 Parallelizable 4 No block cipher inverse 5 Security reduction to block cipher

23 / 23

Summary and Future Work

COBRA:

1 Misuse resistance 2 Online 3 GCM-like efficiency 1 One multiplication per block 2 One block cipher call per block 3 Parallelizable 4 No block cipher inverse 5 Security reduction to block cipher

Submission to CAESAR Software implementation results

23 / 23

Fractional Data: ℓ > 1, 0 < |M[2ℓ]| < n

Ek Ek Ek Ek + + + + + + + + + + + + 2ℓ−1L′ 2ℓ−1L′ L 7 · 2ℓL′ 7 · 2ℓL′ 7 · L M[2ℓ − 3] M[2ℓ − 2] M[2ℓ − 1] M[2ℓ] M∗ C[2ℓ − 3] C′[2ℓ − 2] M∗ C[2ℓ − 1] C[2ℓ] × × × σ1 σ2 ρ1 ρ2 L L L

24 / 23

Fractional Data: ℓ > 2 and 0 < |M[2ℓ − 1]| ≤ n

Ek Ek Ek Ek Ek Ek + + + + + + + + + + + + + + + + + + 2ℓ−2L′ 2ℓ−2L′ L 2ℓ−1L′ 2ℓ−1L′ L 7 · 2ℓL′ 7 · 2ℓL′ 7 · L M[2ℓ − 5] M[2ℓ − 4] M[2ℓ − 3] M[2ℓ − 2] M[2ℓ − 1] M∗ C[2ℓ − 2] C[2ℓ − 5] C′[2ℓ − 4] M∗ C[2ℓ − 3] C[2ℓ − 2] C[2ℓ − 1] C[2ℓ] × × × × × σ1 σ2 σ3 ρ1 ρ2 ρ3 L L L L L

25 / 23