COLM Elena Andreeva 1 , Andrey Bogdanov 2 , Nilanjan Datta 3 , Atul - - PowerPoint PPT Presentation

COLM

Elena Andreeva1, Andrey Bogdanov2, Nilanjan Datta3, Atul Luykx1, Bart Mennink1, Mridul Nandi3, Elmar Tischhauser2, Kan Yasuda4

1KU Leuven and iMinds, Belgium 2DTU Compute, Denmark 3Indian Statisftical Institute, India 4NTT Secure Platform Laboratories, Japan

September 27, 2016

1 / 12

CAESAR Overview

Table: CAESAR Round 3 Candidates. *Deoxys uses tweakable block cipher modes and creates a new tweakable block cipher.

Dedicated Block Cipher Mode Permutation-based ACORN AES-OTR Ascon AEGIS CLOC and SILC Ketje AEZ COLM Keyak MORUS JAMBU NORX Tiaoxin OCB Deoxys*

2 / 12

Block Cipher Mode Disadvantages

• 1. Usually birthday bound security
• 2. Efficiency cannot improve beyond block cipher

(see e.g. AEGIS vs. CTR)

3 / 12

Block Cipher Mode Advantages

• 1. Block ciphers are ubiquitous
• 2. Can be used with any block cipher
• 3. A safe bet: security reduction to underlying block cipher

Block size ≥ 128 bits ⇒ Can process petabytes of data with success probability well below 2−30

4 / 12

Block Cipher Modes in Candidates

Table: CAESAR Round 3 Candidates. *Deoxys uses tweakable block cipher modes and creates a new tweakable block cipher.

Dedicated Block Cipher Mode Permutation-based ACORN AES-OTR Ascon AEGIS CLOC and SILC Ketje AEZ COLM Keyak MORUS JAMBU NORX Tiaoxin OCB Deoxys*

5 / 12

Block Cipher Modes in Candidates

Table: CAESAR Round 3 Candidates. *Deoxys uses tweakable block cipher modes and creates a new tweakable block cipher.

Dedicated Block Cipher Mode Permutation-based ACORN AES-OTR Ascon AEGIS CLOC and SILC Ketje AEZ COLM Keyak MORUS JAMBU NORX Tiaoxin OCB Deoxys* (ΘCB and SCT)

5 / 12

Robustness

Table: Levels of resistance to nonce misuse.

Level 1 Level 2 Level 3 AES-OTR COLM Deoxys-II (SCT) CLOC and SILC JAMBU OCB Deoxys-I

6 / 12

Background: Online Nonce Misuse Resistance

M M1 M M2 M′ C1 C∗

1

C2 C∗

2

C3 T1 T2 T3

N1 , K N2 , K N3 , K

7 / 12

Background: Online Nonce Misuse Resistance

M M1 M M2 M′ C1 C∗

1

C2 C∗

2

C3 T1 T2 T3

N, K N, K N, K

7 / 12

Background: Online Nonce Misuse Resistance

M M1 M M2 M′ C C∗

1

C C∗

2

C′ T1 T2 T3

N, K N, K N, K

7 / 12

Background: Online Nonce Misuse Resistance

M M1 M M2 M′ C C∗

1

C C∗

2

C′ T1 T2 T3

N, K N, K N, K

1 Equality of prefixes of messages determined

7 / 12

Background: Online Nonce Misuse Resistance

M M1 M M2 M′ C C∗

1

C C∗

2

C′ T1 T2 T3

N, K N, K N, K

1 Equality of prefixes of messages determined 2 No relationship past common prefix

7 / 12

Background: Online Nonce Misuse Resistance

M M1 M M2 M′ C C∗

1

C C∗

2

C′ T1 T2 T3

N, K N, K N, K

1 Equality of prefixes of messages determined 2 No relationship past common prefix 3 Hoang et al. CRYPTO 2015 attack. . .

7 / 12

Background: Online Nonce Misuse Resistance

M M1 M M2 M′ C C∗

1

C C∗

2

C′ T1 T2 T3

N, K N, K N, K

1 Equality of prefixes of messages determined 2 No relationship past common prefix 3 Hoang et al. CRYPTO 2015 attack. . . 4 but still much more robust than GCM, OCB, OTR, . . .

7 / 12

Advantage over SCT: Online Scheme

1 High latency (receive full message before first output) 2 Storage issues (large internal state)

M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4] T

Dependency in SCT.

8 / 12

Advantage over SCT: Online Scheme

1 High latency (receive full message before first output) 2 Storage issues (large internal state)

M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4] T

Dependency in SCT.

M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4] T

Dependency in COLM.

8 / 12

COLM Comparison with ELmD and COPA

COPA ELmD COLM Simplified masking ✓ Fully parallelizable authentication ✓ ✓ XOR mixing for authentication ✓ ✓ ρ mixing for encryption ✓ ✓ Bottom layer encryption ✓ ✓ Intermediate tags ✓ ✓

9 / 12

COLM Description

npubparam L1 ⊕ EK A[1] 2 · L1 ⊕ EK AA[1] Z[1] +

· · ·

A[a] 2a · L1 ⊕ EK AA[a] Z[a] + IV M[1] 2 · L ⊕ EK MM[1] X[1] ρ EK 2 · L2 ⊕ Y [1] CC[1] C[1] M[2] 22 · L ⊕ EK MM[2] X[2] ρ W[1] EK 22 · L2 ⊕ Y [2] CC[2] C[2] M[l] 7 · 2l−1 · L ⊕ EK MM[l] X[l] ρ

· · ·

EK 7 · 2l−1 · L2 ⊕ Y [l] CC[l] C[l] M[l + 1] 7 · 2l · L ⊕ EK MM[l + 1] X[l + 1] ρ W[l] EK 7 · 2l · L2 ⊕ Y [l + 1] CC[l + 1] C[l + 1]

10 / 12

Summary

COLM: strengths of COPA + ELmD

1 security reduction to block cipher 2 online misuse resistance: most robust AES-mode in the

competition

3 highly parallelizable

Thank you for your attention.

11 / 12

1

Andreeva et al. “How to securely release unverified plaintext in authenticated encryption” ASIACRYPT 2014

2

Hoang et al. “Online authenticated-encryption and its nonce-reuse misuse-resistance” CRYPTO 2015

3

Dobraunig et al. “Related-Key Forgeries for Proest-OTR” FSE 2015

4

Nandi “XLS is Not a Strong Pseudorandom Permutation” ASIACRYPT 2014

5

Nandi “Revisiting Security Claims of XLS and COPA” eprint

6

Lu “On the Security of the COPA and Marble Authenticated Encryption Algorithms against (Almost) Universal Forgery Attack” eprint

7

Fuhr et al. “Collision Attacks against CAESAR Candidates” ASIACRYPT 2015

8

Bogdanov et al “Comb to Pipeline: Fast Software Encryption Revisited” FSE 2015

9

Dobraunig et al “Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes” ASIACRYPT 2016

10 Nandi “On the Optimality of Non-Linear Computations of

Length-Preserving Encryption Schemes” ASIACRYPT 2015

11 Kaplan et al. “Breaking Symmetric Cryptosystems using Quantum Period

Finding” CRYPTO 2016

12 Bay et al. “Universal Forgery and Key Recovery Attacks on ELmD

Authenticated Encryption Algorithm” ASIACRYPT 2016