Indifferentiable Authenticated Encryption Pooya Farshim Manuel - - PowerPoint PPT Presentation

Indifferentiable
 Authenticated Encryption

Manuel Barbosa 


(Porto)

Pooya Farshim

(CNRS & ENS)

Indifferentiable
 Authenticated Encryption

Manuel Barbosa 


(Porto)

Pooya Farshim

(CNRS & ENS)

Hash Functions

long & arbitrary short &
 random-looking SHA

Hash Functions

long & arbitrary short &
 random-looking SHA Provably security 
 not always possible.

Random Oracles

long & arbitrary short &
 random-looking SHA

Random Oracles

Random Function long & arbitrary short &
 random-looking

Random Oracles

Random Oracle long & arbitrary short &
 random-looking

Random Oracles are Practical

๏ Public-Key Enc. (OAEP, ECIES) ๏ Signatures (PSS, FDH) ๏ TLS 1.3 ๏ Symmetric schemes ๏ …. Provable Security for 
 Many Simple & Efficient Protocols Ideal Hash

This Talk

This Talk

Encryption

This Talk

Encryption Ideal Hash

This Talk

Encryption Inherit
 all strengths Ideal Hash

This Talk

Encryption Inherit
 all strengths Ideal Ideal Hash

This Talk

Random Function Encryption Inherit
 all strengths Ideal Ideal Hash

This Talk

Random Function What Object? Encryption Inherit
 all strengths Ideal Ideal Hash

Authenticated Encryption

• 1. K ↞ Gen(1λ)
• 2. C ← Enc(K,N,A,M,!) |C|=|M| + !
• 3. M/⟘ ← Dec(K,N,A,C,!)

Authenticated Encryption

Security says: under an unknown random key K ๏ Nothing about messages leaks ๏ Cannot forge new valid ciphertexts

• 1. K ↞ Gen(1λ)
• 2. C ← Enc(K,N,A,M,!) |C|=|M| + !
• 3. M/⟘ ← Dec(K,N,A,C,!)

Authenticated Encryption

Simplifying

• 1. K ↞ Gen(1λ)
• 2. C ← Enc(K,M) |C|=|M| + !
• 3. M/⟘ ← Dec(K,C)

Simplifying

• 1. K ↞ Gen(1λ)
• 2. C ← Enc(K,M) |C|=|M| + !
• 3. M/⟘ ← Dec(K,C)

A Keyed Injection

Ideal Encryption

Ideal Encryption

Hash

Ideal Encryption

Function Hash

Ideal Encryption

Ideal Hash Function Hash

Ideal Encryption

Random Ideal Hash Function Hash

Ideal Encryption

Cipher Random Ideal Hash Function Hash

Ideal Encryption

Keyed Permutation Cipher Random Ideal Hash Function Hash

Ideal Encryption

Ideal Cipher Keyed Permutation Cipher Random Ideal Hash Function Hash

Ideal Encryption

Random Ideal Cipher Keyed Permutation Cipher Random Ideal Hash Function Hash

Ideal Encryption

Encryption Random Ideal Cipher Keyed Permutation Cipher Random Ideal Hash Function Hash

Ideal Encryption

Keyed Injection Encryption Random Ideal Cipher Keyed Permutation Cipher Random Ideal Hash Function Hash

Ideal Encryption

Keyed Injection Encryption Random Ideal Cipher Keyed Permutation Cipher Ideal Encryption Random Ideal Hash Function Hash

Random

Ideal Encryption

Keyed Injection Encryption Random Ideal Cipher Keyed Permutation Cipher Ideal Encryption Random Ideal Hash Function Hash

Random

Ideal Encryption

Keyed Injection Encryption Random Ideal Cipher Keyed Permutation Cipher Ideal Encryption Random Ideal Hash Function Hash New 
 Ideal Model

Encryption

Random Function Encryption Inherit
 all strengths Ideal Ideal Hash What Object?

Encryption

Random Function Random Keyed Injection Encryption Inherit
 all strengths Ideal Ideal Hash

Encryption

Random Function Random Keyed Injection Encryption Inherit
 all strengths Ideal Ideal Hash

Encryption

Random Function Indifferentiability Random Keyed Injection Encryption Inherit
 all strengths Ideal Ideal Hash

Indifferentiability

CRO is “as good as” iEnc:

Indifferentiability

≈ iEnc CRO CRO is “as good as” iEnc:

Indifferentiability

≈ iEnc , RO CRO CRO is “as good as” iEnc:

Indifferentiability

≈ iEnc , RO CRO , RO CRO is “as good as” iEnc:

Indifferentiability

≈ , SiEnc iEnc , RO CRO CRO is “as good as” iEnc:

Indifferentiability

C RO iEnc S D

≈ , SiEnc iEnc , RO CRO CRO is “as good as” iEnc:

Indifferentiability

C RO iEnc S D

≈ , SiEnc iEnc , RO CRO Unified Attack Surface CRO is “as good as” iEnc:

Indifferentiability

C RO iEnc S D

≈ , SiEnc iEnc , RO CRO Unified Attack Surface Keys can be under adversarial control CRO is “as good as” iEnc:

Why Indifferentiability?

Theorem [MRH04]: If CRO is indifferentiable from iEnc, then it is secure in many adversarial environments in the RO model.

Why Indifferentiability?

Theorem [MRH04]: If CRO is indifferentiable from iEnc, then it is secure in many adversarial environments in the RO model.

AE, MRAE, & RAE

Why Indifferentiability?

Theorem [MRH04]: If CRO is indifferentiable from iEnc, then it is secure in many adversarial environments in the RO model.

RKA Security KDM Security Deduplication Committing Encryption Leakage Resilience AE, MRAE, & RAE

Why Indifferentiability?

Theorem [MRH04]: If CRO is indifferentiable from iEnc, then it is secure in many adversarial environments in the RO model.

RKA Security KDM Security Deduplication Committing Encryption Leakage Resilience AE, MRAE, & RAE Unforeseen Models Combined Models

Why Indifferentiability?

Theorem [MRH04]: If CRO is indifferentiable from iEnc, then it is secure in many adversarial environments in the RO model.

RKA Security KDM Security Deduplication Committing Encryption Leakage Resilience AE, MRAE, & RAE Unforeseen Models Combined Models Single stage

So…

Are there any indifferentiable encryption schemes out there?

Generic Composition [NRS14]

T N A M T N C

EK

T FL N A M T N FL IV IV IV IV T N IV T N IV N IV T N IV T

scheme

A1

scheme

A2

scheme

A3

scheme

A4

scheme

A7

scheme

A6

scheme

A5

scheme

A8

FL

EK EK EK EK EK EK EK

FL FL FL FL FL FL FL FL FL FL FL FL M M M M M C C C M A A A C C A A A C C

Generic Composition [NRS14]

T N A M T N C

EK

T FL N A M T N FL IV IV IV IV T N IV T N IV N IV T N IV T

scheme

A1

scheme

A2

scheme

A3

scheme

A4

scheme

A7

scheme

A6

scheme

A5

scheme

A8

FL

EK EK EK EK EK EK EK

FL FL FL FL FL FL FL FL FL FL FL FL M M M M M C C C M A A A C C A A A C C

Enc-then-Mac

Generic Composition [NRS14]

T N A M T N C

EK

T FL N A M T N FL IV IV IV IV T N IV T N IV N IV T N IV T

scheme

A1

scheme

A2

scheme

A3

scheme

A4

scheme

A7

scheme

A6

scheme

A5

scheme

A8

FL

EK EK EK EK EK EK EK

FL FL FL FL FL FL FL FL FL FL FL FL M M M M M C C C M A A A C C A A A C C

Enc-then-Mac Mac-then-Enc

Generic Composition [NRS14]

T N A M T N C

EK

T FL N A M T N FL IV IV IV IV T N IV T N IV N IV T N IV T

scheme

A1

scheme

A2

scheme

A3

scheme

A4

scheme

A7

scheme

A6

scheme

A5

scheme

A8

FL

EK EK EK EK EK EK EK

FL FL FL FL FL FL FL FL FL FL FL FL M M M M M C C C M A A A C C A A A C C

Enc-then-Mac Mac-then-Enc SIV

Attack on Enc-then-Mac

T N A M IV

scheme

A5

FL

EK

FL C

Attack on Enc-then-Mac

T N A M IV

scheme

A5

FL

EK

FL C

Construction: Changing K does not affect T iEnc: Random Injection: changing K will change T

Attack on Enc-then-Mac

T N A M IV

scheme

A5

FL

EK

FL C

Construction: Changing K does not affect T iEnc: Random Injection: changing K will change T Interpretation: Related-Key Attacks

General Attacks

• Algo. AE(K, N, A, M, τ)

(est0, est1) ← Ie(K, N, A, M, τ) (K0, N 0, M 0, τ 0) ← E H

0 (est0)

C0 ← E(K0, N 0, ε, M 0, τ 0) C ← E H

1 (C0, est1)

return C

• Algo. AD(K, N, A, C, τ)

(dst0, dst1) ← Id(K, N, A, C, τ) (K0, N 0, C0, τ 0) ← DH

0 (dst0)

M 0 ← D(K0, N 0, ε, C0, τ 0) M ← DH

1 (M 0, dst1)

return M

A template for generic composition. Two types of attacks based on how information flows.

Attacks: Specifics Schemes

• 1, 1

• 1, 5

• 1, 2

...

... ...

• 1, 4

AEZ [HKR17] OCB [Rog et al.] Deoxys [JNP15]

Indifferntius

So…

Any indifferentiable encryption schemes?

Feistel

Feistel

R L

RO1 RO2 RO3

Feistel

R L

RO1 RO2 RO3

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Permutation

Feistel

R L

RO1 RO2 RO3

1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Permutation

Feistel

R L

RO1 RO2 RO3

1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Permutation

Feistel

R L

RO1 RO2 RO3

1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Permutation

Feistel

RO1 RO2 RO3

M

1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Permutation

Feistel

Theorem: 3 rounds of Feistel are necessary and sufficient to build a random injection.

RO1 RO2 RO3

M

1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Permutation

Feistel

Theorem: 3 rounds of Feistel are necessary and sufficient to build a random injection.

RO1 RO2 RO3

M

1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Permutation Injection

Online Encryption

Some applications need to process messages “on the fly”:

M1 C1 M2

M3

M`

C`

C2

C3

EK

EK

EK

EK

Leads to: A definition of online random keyed injections.

Turning It On

Theorem: Chaining an AEAD up indifferentiability turns it on.

Turning It On

K N E M1 M3 C3 C1 A1 A3 S H0 H1 `1 `3 `1 + ⌧1 `3 + ⌧3 E S S H1

K1

M2 C2 A2 `2 `2 + ⌧2 H2 H2 H3

K1 K1 K2 K2

E τ1 τ2 τ3

Theorem: Chaining an AEAD up indifferentiability turns it on.

Efficiency Lower Bound

Theorem: Any indifferentiable construction of a wn-bit random injection from an n-bit permutation must place at least 2w-2 queries.

Efficiency Lower Bound

Theorem: Any indifferentiable construction of a wn-bit random injection from an n-bit permutation must place at least 2w-2 queries. Lower/upper bounds remain open for:

ρ := # blocks # queries ∈ [2,3) .

Summary

RO1 RO2 RO3

M

C RO iEnc S D

New view of AE as a random keyed injection;
 Implies security in many adversarial environments.

Summary

RO1 RO2 RO3

M

C RO iEnc S D

Thank you. New view of AE as a random keyed injection;
 Implies security in many adversarial environments.