Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC - - PowerPoint PPT Presentation

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC

Nilanjan Datta 1, Avijit Dutta 2, Mridul Nandi 2 and Kan Yasuda 3

• 1. Indian Institute of Technology, Kharagpur, India
• 2. Indian Statistical Institute, Kolkata, India
• 3. NTT Secure Platform Laboratories, NTT Corporation, Japan

CRYPTO, 2018 August 22, 2018

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 1 / 28

Introduction Wegman-Carter MAC

WC MAC [Wegman and Carter, JCSS 1981]

N FK

⊕

T HKh M

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 2 / 28

Introduction Wegman-Carter MAC

WC MAC [Wegman and Carter, JCSS 1981]

N FK

⊕

T HKh M Nonce Respecting (NR): O(ǫqv) security (Beyond the Birthday Bound) Nonce Misuse (NM): No security !!

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 2 / 28

Introduction Encrypted Wegman-Carter MAC

EWC MAC [Cogliati and Seurin, CRYPTO 2016]

N FK

⊕

EK ′ T HKh M

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 3 / 28

Introduction Encrypted Wegman-Carter MAC

EWC MAC [Cogliati and Seurin, CRYPTO 2016]

N FK

⊕

EK ′ T HKh M Nonce Respecting (NR): Same security (Beyond the Birthday Bound) Nonce Misuse (NM): Birthday Bound security

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 3 / 28

Introduction Encrypted Wegman-Carter MAC

EWC MAC [Cogliati and Seurin, CRYPTO 2016]

N FK

⊕

EK ′ T HKh M Nonce Respecting (NR): Same security (Beyond the Birthday Bound) Nonce Misuse (NM): Birthday Bound security FK → EK: NR security drops to Birthday Bound!!

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 3 / 28

Introduction Encrypted Wegman-Carter MAC

Towards Beyond Birthday Security

N FK

⊕

EK ′ T HKh M

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 4 / 28

Introduction Encrypted Wegman-Carter MAC

Towards Beyond Birthday Security

N EK1 EK2

⊕ ⊕

EK ′ T HKh M

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 5 / 28

Introduction Encrypted Wegman-Carter MAC

Towards Beyond Birthday Security

N EK1 EK2

⊕ ⊕

EK ′ T HKh M Can we reduce the number of BC calls?

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 5 / 28

Introduction Encrypted Wegman-Carter with Davies-Meyer

EWCDM MAC [Cogliati and Seurin, CRYPTO 2016]

N EK

⊕ ⊕

EK ′ z T HKh M Instantiation of FK by Keyed Davies-Meyer Construction

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 6 / 28

Introduction Encrypted Wegman-Carter with Davies-Meyer

EWCDM MAC [Cogliati and Seurin, CRYPTO 2016]

N EK

⊕

EK ′ z T HKh M MAC security: 2n/3-bit (NR setting), n/2-bit (NM setting)

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 7 / 28

Introduction Encrypted Wegman-Carter with Davies-Meyer

EWCDM MAC [Cogliati and Seurin, CRYPTO 2016]

N EK

⊕

EK ′ z T HKh M MAC security: 2n/3-bit (NR setting), n/2-bit (NM setting) Conjecture of Cogliati and Seurin EWCDM is secure upto ≈ n-bit (NR setting).

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 7 / 28

Introduction Encrypted Wegman-Carter with Davies-Meyer

EWCDM MAC [Cogliati and Seurin, CRYPTO 2016]

N EK

⊕

EK ′ z T HKh M MAC security: 2n/3-bit (NR setting), n/2-bit (NM setting) Conjecture of Cogliati and Seurin Single keyed EWCDM (i.e K = K ′) is BBB Secure against NR adversaries.

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 8 / 28

Introduction Current Results on EWCDM

Current Results on EWCDM

[Mennink and Neves, CRYPTO 2016]: Optimal PRF security of EWCDM (NR setting) n-bit security of Mirror Theory: Unverifiable!! [Cogliati and Seurin, DCC 2018]: Difficulty of proving the security of single-keyed EWCDM

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 9 / 28

Content

Outline

Decrypted Wegman-Carter wth Davies-Meyer (DWCDM)

Specification Necessity of Nonce-space Reduction

(Extended) Mirror Theory

Mirror Theory Extended Mirror Theory

Security of DWCDM

H-Coefficient Technique Proof Approach

1K-DWCDM

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 10 / 28

DWCDM Decrypted Wegman-Carter with Davies-Meyer

Decrypted Wegman-Carter with Davies-Meyer (DWCDM)

N EK

⊕

E −1

K

z T HKh M Single Keyed Nonce Based MAC (Nonce Space: 2n/3 bits) MAC security: 2n/3-bit (NR setting), n/2-bit (NM setting) Assumptions on H Regular, Almost XOR Universal 3-way regular (i.e., H(X1) ⊕ H(X2) ⊕ H(X3) = Y (= 0))

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 11 / 28

DWCDM Necessity of Nonce-space Reduction

Necessity of Nonce-space Reduction

x2 x1 x3 x4 x5 x6

Π(x1) ⊕ Π(x2) = Hk(m) + x1 Π(x2) ⊕ Π(x3) = Hk(m) + x2 Π(x3) ⊕ Π(x4) = Hk(m) + x3 Π(x4) ⊕ Π(x5) = Hk(m) + x4 Π(x5) ⊕ Π(x6) = Hk(m) + x5 Π(x6) ⊕ Π(x3) = Hk(m) + x6

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 12 / 28

DWCDM Necessity of Nonce-space Reduction

Necessity of Nonce-space Reduction

x2 x1 x3 x4 x5 x6

Π(x1) ⊕ Π(x2) = Hk(m) + x1 Π(x2) ⊕ Π(x3) = Hk(m) + x2 Π(x3) ⊕ Π(x4) = Hk(m) + x3 Π(x4) ⊕ Π(x5) = Hk(m) + x4 Π(x5) ⊕ Π(x6) = Hk(m) + x5 Π(x6) ⊕ Π(x3) = Hk(m) + x6

• x3 + x4 + x5 + x6 = 0
• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 12 / 28

DWCDM Necessity of Nonce-space Reduction

Necessity of Nonce-space Reduction

x2 x1 x3 x4 x5 x6

Π(x1) ⊕ Π(x2) = Hk(m) + x1 Π(x2) ⊕ Π(x3) = Hk(m) + x2 Π(x3) ⊕ Π(x4) = Hk(m) + x3 Π(x4) ⊕ Π(x5) = Hk(m) + x4 Π(x5) ⊕ Π(x6) = Hk(m) + x5 Π(x6) ⊕ Π(x3) = Hk(m) + x6

• x3 + x4 + x5 + x6 = 0

Forging Event (xi + xi+1 + · · · + xj = 0) ⇒ (xj, m, xi) is a valid forgery.

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 12 / 28

Mirror Theory and Extended Mirror Theory Mirror Theory

Patarin’s Mirror Theory

A system of q equations Pn1 ⊕ Pt1 = λ1 Pn2 ⊕ Pt2 = λ2 . . . Pnq ⊕ Ptq = λq

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 13 / 28

Mirror Theory and Extended Mirror Theory Mirror Theory

Patarin’s Mirror Theory

A system of q equations Pn1 ⊕ Pt1 = λ1 Pn2 ⊕ Pt2 = λ2 . . . Pnq ⊕ Ptq = λq φ : {n1, t1, . . . , nq, tq} → {1, . . . , r} be a surjective index mapping function.

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 13 / 28

Mirror Theory and Extended Mirror Theory Mirror Theory

Patarin’s Mirror Theory

Equivalent reduced system of q equations Pφ(n1) ⊕ Pφ(t1) = λ1 Pφ(n2) ⊕ Pφ(t2) = λ2 . . . Pφ(nq) ⊕ Pφ(tq) = λq System of q equations over P = {P1, . . . , Pr} variables.

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 14 / 28

Mirror Theory and Extended Mirror Theory Mirror Theory

Patarin’s Mirror Theory

Equivalent reduced system of q equations Pφ(n1) ⊕ Pφ(t1) = λ1 Pφ(n2) ⊕ Pφ(t2) = λ2 . . . Pφ(nq) ⊕ Pφ(tq) = λq System of q equations over P = {P1, . . . , Pr} variables. Goal of Mirror Theory

• Lower bound the number of solutions to P such that Pa = Pb for a = b ∈ {1, . . . , r}.
• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 14 / 28

Mirror Theory and Extended Mirror Theory Mirror Theory

Patarin’s Mirror Theory

System of Equations r distinct unknowns System of equations: Pni ⊕ Pti = λi, i ∈ {1, . . . , q} Index mapping function φ : {n1, t1, . . . , nq, tq} → {1, . . . , r}

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 15 / 28

Mirror Theory and Extended Mirror Theory Mirror Theory

Patarin’s Mirror Theory

System of Equations r distinct unknowns System of equations: Pni ⊕ Pti = λi, i ∈ {1, . . . , q} Index mapping function φ : {n1, t1, . . . , nq, tq} → {1, . . . , r} Graph Based View Circle

Pφ(n1) = Pφ(n2) Pφ(t1) = Pφ(n3) Pφ(t3) = Pφ(t2) λ1 λ3 λ2

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 15 / 28

Mirror Theory and Extended Mirror Theory Mirror Theory

Patarin’s Mirror Theory

System of Equations r distinct unknowns System of equations: Pni ⊕ Pti = λi, i ∈ {1, . . . , q} Index mapping function φ : {n1, t1, . . . , nq, tq} → {1, . . . , r} Graph Based View Circle

Pφ(n1) = Pφ(n2) Pφ(t1) = Pφ(n3) Pφ(t3) = Pφ(t2) λ1 λ3 λ2

Degenerate

Pφ(n1) Pφ(n2) Pφ(t1) = Pφ(n3) Pφ(t2) = Pφ(t3) λ1 λ1 + λ2 λ2

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 15 / 28

Mirror Theory and Extended Mirror Theory Mirror Theory

Patarin’s Mirror Theory

Main result (Mirror Theory) If G[φ, λ] is (i) circle-free and (ii) non-degenerate for a fixed φ and λ = (λ1, . . . , λq), then the distinct number of solutions is at least (2n)r 2nq , provided the maximum component size ξmax of G[φ, λ] satisfies (ξmax − 1)2 · r ≤ 2n/67.

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 16 / 28

Mirror Theory and Extended Mirror Theory Extended Mirror Theory

Extended Mirror Theory

Proof of Mirror theory: An inductive proof on the number of components Verifiable upto 3n/4 bit security By definition, Mirror theory deals with a general system of equations and non-equations, however the treatment of non-equations has nowhere been found till date!!

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 17 / 28

Mirror Theory and Extended Mirror Theory Extended Mirror Theory

Extended Mirror Theory

Proof of Mirror theory: An inductive proof on the number of components Verifiable upto 3n/4 bit security By definition, Mirror theory deals with a general system of equations and non-equations, however the treatment of non-equations has nowhere been found till date!! Goal of Extended Mirror Theory Lower bound on the distinct number of solutions of a system of bivariate affine equations with bivariate affine non-equations

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 17 / 28

Mirror Theory and Extended Mirror Theory Extended Mirror Theory

Extended Mirror Theory

System of Equations and Non-Equations P = {P1, . . . , Pr} Pni ⊕ Pti = λi, i ∈ {1, . . . , q}; Pnj ⊕ Ptj = λj, j ∈ {q + 1, . . . , q + v} φ : {n1, t1, . . . , nq, tq, nq+1, tq+1, . . . , nq+v, tq+v} → {1, . . . , r} Circle, Degeneracy Circle

Pφ(n1) = Pφ(n2) Pφ(t1) = Pφ(n3) Pφ(t3) = Pφ(t2) λ1 λ3 λ2

Degenerate

Pφ(n1) Pφ(n2) Pφ(t1) = Pφ(n3) Pφ(t2) = Pφ(t3) λ1 λ1 + λ2 λ2

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 18 / 28

Mirror Theory and Extended Mirror Theory Extended Mirror Theory

Extended Mirror Theory

System of Equations and Non-Equations P = {P1, . . . , Pr} Pni ⊕ Pti = λi, i ∈ {1, . . . , q}; Pnj ⊕ Ptj = λj, j ∈ {q + 1, . . . , q + v} φ : {n1, t1, . . . , nq, tq, nq+1, tq+1, . . . , nq+v, tq+v} → {1, . . . , r} Degeneracy-II Pφ(n1) ⊕ Pφt1 = λ1 Pφ(n2) ⊕ Pφt2 = λ2 Pφ(n3) ⊕ Pφt3 = λ1 + λ2

Pφ(n1) = Pφ(n2) Pφ(t1) = Pφ(n3) Pφ(t2) = Pφ(t3) λ1 λ1 + λ2 λ2

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 19 / 28

Mirror Theory and Extended Mirror Theory Extended Mirror Theory

Extended Mirror Theory

System of Equations and Non-Equations P = {P1, . . . , Pr} Pni ⊕ Pti = λi, i ∈ {1, . . . , q}; Pnj ⊕ Ptj = λj, j ∈ {q + 1, . . . , q + v} φ : {n1, t1, . . . , nq, tq, nq+1, tq+1, . . . , nq+v, tq+v} → {1, . . . , r} Main result (Extended Mirror Theory) If G[φ, λ′] is (i) circle-free and (ii) non-degenerate of type-I and II for a fixed φ and λ′ = (λ1, . . . , λq, λq+1, . . . , λq+v), then the distinct number of solutions with ξmax = 3, is at least (2n)3q/2 2nq (1 − 5q3 22n − v 2n ).

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 20 / 28

Security Proof of DWCDM H-Coefficient

H-Coefficient Technique

Real World FK VerK Ideal World $ ⊥ A Advreal

ideal(A) = | Pr[AFK ,VerK = 1] − Pr[A$,⊥ = 1] |

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 21 / 28

Security Proof of DWCDM H-Coefficient

H-Coefficient Technique

Real World FK VerK Ideal World $ ⊥ A Advreal

ideal(A) = | Pr[AFK ,VerK = 1] − Pr[A$,⊥ = 1] |

Transcript: τ = τm ∪ τv τm = ((N1, M1, T1), . . . , (Nqm, Mqm, Tqm)) τv = ((N′

1, M′ 1, T ′ 1, b1), . . . , (N′ qv , M′ qv , T ′ qv , bqv ))

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 21 / 28

Security Proof of DWCDM H-Coefficient

H-Coefficient Technique

Xre := probability distribution of transcript in real world. Xid := probability distribution of transcript in ideal world. V = GoodT ⊔ BadT Main Theorm (H-Coefficient Technique) If there exists ǫratio, ǫbad ≥ 0 such that (i) for all τ ∈ GoodT, Pr[Xre=τ]

Pr[Xid=τ] ≥ 1 − ǫratio and

(ii) Pr[Xid ∈ BadT] ≤ ǫbad, then Advreal

ideal(A) ≤ ǫratio + ǫbad

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 22 / 28

Security Proof of DWCDM Security Proof of DWCDM

An Overview of the Security Proof of DWCDM

MAC Equations Ver Equations (Em) =            Π(N1) ⊕ Π(T1) = λ1 Π(N2) ⊕ Π(T2) = λ2 . . . Π(Nqm) ⊕ Π(Tqm) = λqm (Ev) =            Π(N′

1) ⊕ Π(T ′ 1) = λ′ 1

Π(N′

2) ⊕ Π(T ′ 2) = λ2

. . . Π(N′

qv ) ⊕ Π(T ′ qv ) = λ′ qv

λi = Ni ⊕ Hk(Mi), λ′

i = N′ i ⊕ Hk(M′ i )

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 23 / 28

Security Proof of DWCDM Security Proof of DWCDM

An Overview of the Security Proof of DWCDM

MAC Equations Ver Equations (Em) =            Π(N1) ⊕ Π(T1) = λ1 Π(N2) ⊕ Π(T2) = λ2 . . . Π(Nqm) ⊕ Π(Tqm) = λqm (Ev) =            Π(N′

1) ⊕ Π(T ′ 1) = λ′ 1

Π(N′

2) ⊕ Π(T ′ 2) = λ2

. . . Π(N′

qv ) ⊕ Π(T ′ qv ) = λ′ qv

λi = Ni ⊕ Hk(Mi), λ′

i = N′ i ⊕ Hk(M′ i )

Bad Events Bounds (C.1) λi = 0 Pr[C.1] ≤ qmǫreg (C.2) λi = λj, Ti = Tj (Degeneracy-I) Pr[C.2] ≤ q2

mǫaxu/2n

(C.3) Ni = Tj, λi = λj (Degeneracy-I) Pr[C.3] ≤ qmǫaxu/2n/3 (C.4) Ti = 0 Pr[C.4] ≤ qm/2n

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 23 / 28

Security Proof of DWCDM Security Proof of DWCDM

An Overview of the Security Proof of DWCDM

(C.5) Component Size of MAC Graph is 3 i j k i j k i j k Ti = Tj = Tk Ti = Tj = Nk Ni = Tj, Nj = Tk

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 24 / 28

Security Proof of DWCDM Security Proof of DWCDM

An Overview of the Security Proof of DWCDM

(C.5) Component Size of MAC Graph is 3 i j k i j k i j k Ti = Tj = Tk Ti = Tj = Nk Ni = Tj, Nj = Tk (C.6) Circle in MAC Graph i i j (Self Loop) (Parallel Edge)

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 24 / 28

Security Proof of DWCDM Security Proof of DWCDM

An Overview of the Security Proof of DWCDM

(C.5) Component Size of MAC Graph is 3 i j k i j k i j k Ti = Tj = Tk Ti = Tj = Nk Ni = Tj, Nj = Tk (C.6) Circle in MAC Graph i i j (Self Loop) (Parallel Edge) Bounds Pr[C.5] ≤ qm/22n/3 Pr[C.6] ≤ qm/22n/3

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 24 / 28

Security Proof of DWCDM Security Proof of DWCDM

An Overview of the Security Proof of DWCDM

(C.7) Circle in Verification Graph: (A) Cycle of length two a a N′

a = Ta

a i N′

a = Ni, T ′ a = Ti

a i N′

a = Ti, T ′ a = Ni

(B) Cycle of length three Bound Pr[C.7] ≤ max{2qvǫ3-reg, 2qvǫaxu, qvǫreg, qm/22n/3}

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 25 / 28

Security Proof of DWCDM Security Proof of DWCDM

An Overview of the Security Proof of DWCDM

Summarize ǫbad ≈ O(qm/22n/3) ǫgood = 5q3

m

22n + qv 2n (From Extended Mirror Theory)

MAC security of DWCDM Adv(A) ≤ O(qm/22n/3) + qv/2n

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 26 / 28

1K-DWCDM

A Glimpse of Pure 1K-DWCDM

Derive the hash key as EK(0n−11) Security proof: Consider uni-variate non-equations as well Provides same level of security of DWCDM

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 27 / 28

1K-DWCDM

A Glimpse of Pure 1K-DWCDM

Derive the hash key as EK(0n−11) Security proof: Consider uni-variate non-equations as well Provides same level of security of DWCDM Our Conjecture DWCDM can be proven secured upto 3n/4 bit with n − 1 bits of nonce space

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 27 / 28

Thank You

Thank You..!!!

• N. Datta, A.Dutta, M.Nandi and K.Yasuda

DWCDM: Single-Key BBB Secure MAC 28 / 28