Insecurity on XLS and Forging Algorithm on the Mode COPA Mridul - - PowerPoint PPT Presentation

Insecurity on XLS and Forging Algorithm on the Mode COPA

Mridul Nandi

Indian Statistical Institute, Kolkata mridul@isical.ac.in

August 23, 2014 DIAC, UCSB

Mridul Nandi XLS-COPA

Introduction and Overview.

1 Domain Extension and domain completion. 2 Briefly study XLS and COPA. 3 We have demonstrated a SPRP distinguisher for XLS which

violates the claim in FSE 2007.

4 We extend this attack for the mode COPA. 5 We propose some alternative secure as well as efficient

methods for domain completions.

Mridul Nandi XLS-COPA

Domain Extension and Completion

Domain Extension Using n-bit blockcipher constructing encryption over larger message sizes. Easy to define messages of size multiple of n (e.g., EME, HCBC, MHCBC etc.). Padding may be applied for AE but would not simply work for enciphering. Domain Completion A generic method to make the domain complete (i.e., any message size). So far only two methods are known. (1) XLS (proposed by Ristenpart and Rogaway in FSE 2007) and (2) Nandi’s construction in CyS 2009. Cook et. al proposed for domain completion for smaller sizes.

Mridul Nandi XLS-COPA

XLS

Proposed by Ristenpart and Rogaway in FSE 2007. A Method of length-preserving encryption (or enciphering) for arbitrary message length. It requires an enciphering scheme E over ({0, 1}n)+ and a blockcipher E. Replacing E by a blockcipher, XLS becomes an enciphering scheme over ∪2n−1

i=n {0, 1}i.

Used in Authenticated Encryption.

Mridul Nandi XLS-COPA

Figure of XLS

E E E P Q A U V W B D C mix2 mix2 a u = a ⊕ 1 v b = v ⊕ 1 P ′ C′ Encryption Decryption E−1 E−1 E−1 C D B V U W A Q P mix2 mix2 b v = b ⊕ 1 u a = u ⊕ 1 C′ P ′

Mridul Nandi XLS-COPA

Figure of mix2

<<<

1 A B a

mix2R = mix2′

R

x

mix2′ mix2 mix2L mix2′

L 1 mix2 is defined as

mix2(A, B) = (A ⊕ (A ⊕ B)≪, B ⊕ (A ⊕ B)≪).

2 Note that mix2 is linear and hence difference propagate with

probability one.

3 mix2 is inverse of itself. Mridul Nandi XLS-COPA

CPCA Distinguisher of XLS for 2n − 1 bit messages

E E E ∆ = 0 ∆ = α = 0

Encryption Query 1 and 2 ∆ = 0 ∆ = α1 δ = 0 w.p. 1

2

δ = 0 ∆ = β ∗ ∆ = β2 := α ⊕ α<<<1 C/C′ E E E ∆ = γ := β2 ⊕ β>>>1

2

Decryption Query 1 and 2 C/C′ ∆ = β2 δ = 0 ∆ = 0 ∆ = 0 ∆ = β>>>1

2

δ = 0 ∆ = β2 ⊕ (β>>>1

2

) (observed) (observed w.p. 1

2)

∗ ∗ ∗ ∗ ∗ ∗

Mridul Nandi XLS-COPA

CPCA Distinguisher of XLS for 2n − 1 bit messages

Distinguishing Algorithm A0 for XLS with message sizes 2n − 1.

1

query-1. It makes an encryption query (P, Q) ∈ {0, 1}n × {0, 1}n−1.

2

Let (C, D) ∈ {0, 1}n × {0, 1}n−1 be its response.

3

Fix a non-zero bit string α of size n − 1.

4

query-2. It makes an encryption query (P, Q′ := Q ⊕ α) and

• btains response (C ′, D′).

5

Let β = D ⊕ D′ and set γ = α ⊕ β ⊕ ((α ⊕ β) >> 2).

6

query-3. It makes a decryption query (C, D1) and obtains response (P1, Q1) where

7

query-4. It makes a decryption query (C ′, D′

1 := D1 ⊕ γ) and

• btains response (P′

1, Q′ 1). 8

if Q′

1 = Q1 ⊕ γ returns 1, else 0. Mridul Nandi XLS-COPA

Description of COPA for complete last block message

1 V is generated from associated data in a similar fashion. 2 M[d] = ⊕d−1

i=1 M[i].

Mridul Nandi XLS-COPA

Description of COPA for other messages

F E M[1] M[2] M[d − 1] m C[1] C[2] D C[d − 1] T tQ AD

m is the partial block message. F represents COPA for complete block messages. E is the XLS when E is replaced by blockcipher.

Mridul Nandi XLS-COPA

Forging Algorithm on COPA

Forgery Algorithm A1.

1

Make queries Mi ∈ {0, 1}n and obtains response (Ci, t′

i Qi) where

|t′

i | = 1, 1 ≤ i ≤ q. 2

Find b (assume b = 0), |I| = |{i : t′

i = b}| ≥ q/2. I = I1 ⊔ I2,

|I1| = |I2|.

3

Make queries (Mi, m), i ∈ I, m ∈ {0, 1}n−1 and obtains responses ((Ci, Di), Ti).

4

Find i ∈ I1, j ∈ I2, k ∈ I s.t. Qk =

• R−2(Di + Qi)
• +
• Dj + (I + R−2)(Qj + Dj)
• ,
• therwise abort.

5

Return forgery query (Ck, D∗, Tj) where D∗ = Dj + (I + R−2)(Di + Qi + Dj + Qj).

Mridul Nandi XLS-COPA

Forging Algorithm on COPA

It requires about 2n/3 queries. The attacks is reduced to generalized birthday attack for k = 3. In other words, finding three elements x ∈ I1, y ∈ I2 and z ∈ I from three lists such that x ⊕ y ⊕ z = 0. No known algorithm with time complexity less than 2n/2. Success probability is about 1/2. It works for other COPA like constructions.

Mridul Nandi XLS-COPA

Nandi’s CyS’09 Construction.

H1 Π P Q A U V D C chops F R H1

Mridul Nandi XLS-COPA

New Methods of domain completion of AE.

F E M[1] M[2] M[d − 1] M[d] C[1] C[2] C[d] C[d − 1] T T ′ Tweak t H1 M[d − 1] M[d] M[1..d − 2] C[d] C[d − 1] chops F R H1 Tweak t (1) T C[1..d − 2] F (2)

Mridul Nandi XLS-COPA

Conclusion.

1 We have demonstrated a SPRP distinguisher for XLS which

violates the claim in FSE 2007.

2 We extend this attack for those AE which use it, e.g., COPA. 3 We propose some alternative secure as well as efficient

methods for domain completions.

Mridul Nandi XLS-COPA

The End

Mridul Nandi XLS-COPA