Insecurity on XLS and Forging Algorithm on the Mode COPA Mridul - PowerPoint PPT Presentation

Insecurity on XLS and Forging Algorithm on the Mode COPA Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in August 23, 2014 DIAC, UCSB Mridul Nandi XLS-COPA

Introduction and Overview. 1 Domain Extension and domain completion. 2 Briefly study XLS and COPA. 3 We have demonstrated a SPRP distinguisher for XLS which violates the claim in FSE 2007. 4 We extend this attack for the mode COPA. 5 We propose some alternative secure as well as efficient methods for domain completions. Mridul Nandi XLS-COPA

Domain Extension and Completion Domain Extension Using n -bit blockcipher constructing encryption over larger message sizes. Easy to define messages of size multiple of n (e.g., EME, HCBC, MHCBC etc.). Padding may be applied for AE but would not simply work for enciphering. Domain Completion A generic method to make the domain complete (i.e., any message size). So far only two methods are known. (1) XLS (proposed by Ristenpart and Rogaway in FSE 2007) and (2) Nandi’s construction in CyS 2009. Cook et. al proposed for domain completion for smaller sizes. Mridul Nandi XLS-COPA

XLS Proposed by Ristenpart and Rogaway in FSE 2007. A Method of length-preserving encryption (or enciphering) for arbitrary message length. It requires an enciphering scheme E over ( { 0 , 1 } n ) + and a blockcipher E . Replacing E by a blockcipher, XLS becomes an enciphering scheme over ∪ 2 n − 1 i = n { 0 , 1 } i . Used in Authenticated Encryption. Mridul Nandi XLS-COPA

Figure of XLS Q P ′ P C ′ C D E E − 1 a b B A mix2 mix2 u = a ⊕ 1 v = b ⊕ 1 U V W W E E − 1 v u V U mix2 mix2 b = v ⊕ 1 B a = u ⊕ 1 A E E − 1 C D Q C ′ P ′ P Encryption Decryption Mridul Nandi XLS-COPA

Figure of mix2 a A B mix2 ′ 1 <<< mix2 x mix2 R = mix2 ′ mix2 L R mix2 ′ L 1 mix2 is defined as mix2( A , B ) = ( A ⊕ ( A ⊕ B ) ≪ , B ⊕ ( A ⊕ B ) ≪ ) . 2 Note that mix2 is linear and hence difference propagate with probability one. 3 mix2 is inverse of itself. Mridul Nandi XLS-COPA

CPCA Distinguisher of XLS for 2 n − 1 bit messages ∗ ∆ = 0 ∆ = α � = 0 ∆ = β 2 ⊕ ( β >>> 1 ) 2 (observed w.p. 1 2 ) E E ∗ ∆ = 0 ∗ ∗ mix2 mix2 ∆ = α 1 ∗ ∗ ∆ = 0 := α ⊕ α <<< 1 E ∆ = β >>> 1 E 2 δ = 0 w.p. 1 ∗ δ = 0 ∆ = 0 2 mix2 mix2 δ = 0 ∆ = β 2 ∆ = β 2 δ = 0 E E ∆ = β ∆ = γ := β 2 ⊕ β >>> 1 2 (observed) C/C ′ C/C ′ Encryption Query 1 and 2 Decryption Query 1 and 2 Mridul Nandi XLS-COPA

CPCA Distinguisher of XLS for 2 n − 1 bit messages Distinguishing Algorithm A 0 for XLS with message sizes 2 n − 1 . query-1 . It makes an encryption query ( P , Q ) ∈ { 0 , 1 } n × { 0 , 1 } n − 1 . 1 Let ( C , D ) ∈ { 0 , 1 } n × { 0 , 1 } n − 1 be its response. 2 Fix a non-zero bit string α of size n − 1. 3 query-2 . It makes an encryption query ( P , Q ′ := Q ⊕ α ) and 4 obtains response ( C ′ , D ′ ). Let β = D ⊕ D ′ and set γ = α ⊕ β ⊕ (( α ⊕ β ) >> 2) . 5 query-3 . It makes a decryption query ( C , D 1 ) and obtains response 6 ( P 1 , Q 1 ) where query-4 . It makes a decryption query ( C ′ , D ′ 1 := D 1 ⊕ γ ) and 7 obtains response ( P ′ 1 , Q ′ 1 ). if Q ′ 1 = Q 1 ⊕ γ returns 1, else 0. 8 Mridul Nandi XLS-COPA

Description of COPA for complete last block message 1 V is generated from associated data in a similar fashion. 2 M [ d ] = ⊕ d − 1 i =1 M [ i ]. Mridul Nandi XLS-COPA

b b b b b b Description of COPA for other messages M [1] M [2] m AD M [ d − 1] F t � Q E C [1] C [2] C [ d − 1] D T m is the partial block message. F represents COPA for complete block messages. E is the XLS when E is replaced by blockcipher. Mridul Nandi XLS-COPA

Forging Algorithm on COPA Forgery Algorithm A 1 . Make queries M i ∈ { 0 , 1 } n and obtains response ( C i , t ′ i � Q i ) where 1 | t ′ i | = 1, 1 ≤ i ≤ q . Find b (assume b = 0), | I | = |{ i : t ′ i = b }| ≥ q / 2. I = I 1 ⊔ I 2 , 2 | I 1 | = | I 2 | . Make queries ( M i , m ), i ∈ I , m ∈ { 0 , 1 } n − 1 and obtains responses 3 (( C i , D i ) , T i ). Find i ∈ I 1 , j ∈ I 2 , k ∈ I s.t. 4 R − 2 ( D i + Q i ) D j + ( I + R − 2 )( Q j + D j ) � � � � Q k = + , otherwise abort. Return forgery query ( C k , D ∗ , T j ) where 5 D ∗ = D j + ( I + R − 2 )( D i + Q i + D j + Q j ) . Mridul Nandi XLS-COPA

Forging Algorithm on COPA It requires about 2 n / 3 queries. The attacks is reduced to generalized birthday attack for k = 3. In other words, finding three elements x ∈ I 1 , y ∈ I 2 and z ∈ I from three lists such that x ⊕ y ⊕ z = 0. No known algorithm with time complexity less than 2 n / 2 . Success probability is about 1 / 2. It works for other COPA like constructions. Mridul Nandi XLS-COPA

Nandi’s CyS’09 Construction. Q A P H 1 U R F Π chop s V H 1 C D Mridul Nandi XLS-COPA

b b b b b b New Methods of domain completion of AE. M [1 ..d − 2] M [ d − 1] M [ d ] M [1] M [2] M [ d − 1] M [ d ] H 1 Tweak t F Tweak t R F F chop s T ′ T E H 1 C [1] C [ d − 1] C [2] C [ d ] T C [1 ..d − 2] C [ d − 1] C [ d ] (1) (2) Mridul Nandi XLS-COPA

Conclusion. 1 We have demonstrated a SPRP distinguisher for XLS which violates the claim in FSE 2007. 2 We extend this attack for those AE which use it, e.g., COPA. 3 We propose some alternative secure as well as efficient methods for domain completions. Mridul Nandi XLS-COPA

The End Mridul Nandi XLS-COPA