Modifying an Enciphering Scheme a3er Deployment Paul Grubbs, Thomas - - PowerPoint PPT Presentation

modifying an enciphering scheme a3er deployment
SMART_READER_LITE
LIVE PREVIEW

Modifying an Enciphering Scheme a3er Deployment Paul Grubbs, Thomas - - PowerPoint PPT Presentation

Dec 31, 2023 6 likes •247 views

Modifying an Enciphering Scheme a3er Deployment Paul Grubbs, Thomas Ristenpart, Yuval Yarom Format-Preserving Encryp<on (FPE) Encryp<on service Client E(CCN) CCN E(CCN) E(CCN) E(CCN) Format-Preserving Encryp<on (FPE)

slide-1
SLIDE 1

Modifying an Enciphering Scheme a3er Deployment

Paul Grubbs, Thomas Ristenpart, Yuval Yarom

slide-2
SLIDE 2

CCN Encryp<on service E(CCN) E(CCN) E(CCN) E(CCN) Client

Format-Preserving Encryp<on (FPE)

slide-3
SLIDE 3

Encryp<on service E(CCN) E(CCN) E(CCN) Client CCN E(CCN)

Format-Preserving Encryp<on (FPE)

slide-4
SLIDE 4

Format-Preserving Encryp<on (FPE)

Encryp<on service E(CCN) E(CCN) E(CCN)

Academic and industry work on FPE:

  • Tokeniza<on
  • Cycle walking [BR]
  • FE1, FE2 construc<ons [BRRS]
  • Thorp shuffle [MRS]
  • NIST standard FFX
  • Support for arbitrary formats

[DCRS,LDJRS,LSRJ]

Client

This work: Backwards-compa<ble FPE

slide-5
SLIDE 5

Format-Preserving Encryp<on (FPE)

Encryp<on service

This work: Backwards-compa<ble FPE

New encryp<on service

  • Includes new features
  • Decrypts old ciphertexts properly
  • Not just key rota<on, FPE scheme

changes

slide-6
SLIDE 6

Example: Upgrading from tokeniza<on

E(CCN) E(CCN) E(CCN)

Tokeniza<on: implement FPE using look-up table of random ciphertexts (encryp<on key is the table)

Encryp<on service Client

CCN1, 1980-1431-… CCN2, 9886-3456-… CCN3, 8484-1234-…

slide-7
SLIDE 7

Example: Upgrading from tokeniza<on

E(CCN) E(CCN) E(CCN)

Tokeniza<on: implement FPE using look-up table of random ciphertexts (encryp<on key is the table) Does not scale well! Prac<<oners want to use modern FPE instead (e.g., FFX)

Frequent problem in prac<ce: Old ciphertexts can’t be retrieved & re-encrypted Encryp<on service Client

slide-8
SLIDE 8

Example: Upgrading from tokeniza<on

Encryp<on service E(CCN) E(CCN) E(CCN)

Tokeniza<on: implement FPE using look-up table of random ciphertexts (encryp<on key is the table) Does not scale well! Prac<<oners want to use modern FPE instead (e.g., FFX)

Frequent problem in prac<ce: Old ciphertexts can’t be retrieved & re-encrypted Client Need a backwards-compa<ble FPE:

  • New plaintexts encrypted with compact key
  • Old ciphertexts decrypted using tokeniza<on
  • Preserve permu<vity
slide-9
SLIDE 9

Example: Expanding format

Encryp<on Service (16-digit CCNs) E(CCN) E(CCN) E(CCN)

Problem: deployed with one format in mind (e.g., just 16 digit CCN’s) but need to support others as well (e.g., also 15 digit CCN’s)

Client

slide-10
SLIDE 10

Example: Expanding format

Encryp<on Service (15- & 16-digit CCNs) E(CCN) E(CCN) E(CCN)

Problem: deployed with one format in mind (e.g., just 16 digit CCN’s) but need to support others as well (e.g., also 15 digit CCN’s)

Frequent problem in prac<ce: Old ciphertexts can’t be retrieved & re-encrypted

Need a backwards-compa<ble FPE:

  • New plaintexts (15 or 16 digit CCNs) encrypted
  • Old 16-digit ciphertexts can be decrypted
  • Preserve permu<vity

Client

slide-11
SLIDE 11

Our contribu<ons

  • Prove “natural” security
  • Analyze run<me
  • “Natural” security is impossible
  • Give new security goal, analyze

Give generic algorithm (Zig-Zag) for backwards-compa<ble FPE

Domain comple<on (tokeniza<on upgrade example) Domain extension (expanding format example)

slide-12
SLIDE 12

Domain comple<on (formally)

Need a backwards-compa<ble FPE:

  • New plaintexts encrypted with compact key
  • Old ciphertexts decrypted using tokeniza<on
  • Preserve permu<vity

An FPE scheme FPEk : D -> D with key K is a permuta<on of D for every K Security goal is Strong Pseudorandom Permuta/on: indis<nguishable from random permuta<on even if adversary knows T Call old FPE (par<al permuta<on) Fk* : D ⇀ D and T = Dom(Fk*). Need new FPE ZZk’ : D -> D so that ∀t ∈ T, ZZk’(t) = Fk*(t)

T Fk*(T)

D D

slide-13
SLIDE 13

The obvious approach doesn’t work

What about simply using a tokeniza<on scheme and a new FPE in parallel?

= table Tok[ ] = FFX E with secret key K

This doesn’t define a permuta<on for every (T,K)!

CCN1, 1980-1431-… CCN2, 9886-3456-… CCN3, 8484-1234-… T Tok[T]

Encrypt( (Tok[], K) , M): Else: If M in T then: Return Tok[M] Return EK(M)

( Fk* )

slide-14
SLIDE 14

The Zig-Zag Construc<on

CCN1, 1980-1431-… CCN2, 9886-3456-… CCN3, 8484-1234-… = table Tok[ ]

Encrypt( (Tok[], K) , M): Else: If M in T then: Return Tok[M] C = EK(M) while (Tok-1[C] != null): Return C

T Tok[T]

Uses a form of cycle walking to ``repair’’ permuta<on on colliding points

= FFX E with secret key K ( Fk* )

slide-15
SLIDE 15

The Zig-Zag Construc<on

Uses a form of cycle walking to ``repair’’ permuta<on on colliding points

CCN1, 1980-1431-… CCN2, 9886-3456-… CCN3, 8484-1234-… = table Tok[ ] T Tok[T]

Encrypt( (Tok[], K) , M): Else: If M in T then: Return Tok[M] C = EK(M) while (Tok-1[C] != null): Return C M’ = Tok-1[C] C = EK(M’)

= FFX E with secret key K ( Fk* )

slide-16
SLIDE 16

Zig-Zag analysis

Theorem (informal): If |T| <= |D|/2, the Zig-Zag algorithm runs in amor<zed constant <me, except with negligible probability Key intui<on: With random permuta<ons, can use hypergeometric tail bound to upper-bound drawing many collisions in a row. Theorem (informal): The Zig-Zag algorithm is as secure as the underlying permuta<ons (E) even if the adversary knows T

slide-17
SLIDE 17

Fk*(T)

Call old FPE (par<al permuta<on) Fk* : D ⇀ D, T = Dom(Fk*), and new domain M (D ⊆ M). Need FPE ZZk’ : M -> M so that ∀t ∈ T, ZZk’(t) = Fk*(t)

T

M M

Domain extension (formally)

Need a backwards-compa<ble FPE:

  • New plaintexts (15 or 16 digit CCNs) encrypted
  • Old 16-digit ciphertexts can be decrypted
  • Preserve permu<vity

D D

slide-18
SLIDE 18

Zig-Zag works for domain extension

= Old secret key K* for Fk* : D -> D = FFX secret key K for Ek : M -> M

Encrypt( (K*, K) , M): If M in T then: Return Fk* (M) Else: C = EK(M) while (Fk*

  • 1(C) ∈ T):

C = EK(Fk*

  • 1(C))

return C

Fk*(T) T

M M D D

slide-19
SLIDE 19

Zig-Zag works for domain extension

= Old secret key K* for Fk* : D -> D = FFX secret key K for Ek : M -> M

Encrypt( (K*, K) , M): If M in T then: Return Fk* (M) Else: C = EK(M) while (Fk*

  • 1(C) ∈ T):

C = EK(Fk*

  • 1(C))

return C

What security does this achieve?

Fk*(T) T

M M D D

slide-20
SLIDE 20

SPRP security is impossible

for i in [1 … q]: if ZZk’ (ti) ∉ D: return “ideal” return “real” When adversary knows T={t1…t|T|}, there is a trivial dis<nguisher for any DE cipher Key intui<on: Unlikely for random permuta<on that all queries fall in D. Advantage = 1 - |D|!(|M|-q)! |M|!(|D|-q)! Can we prove any meaningful security?

Fk*(T) T

M M D D

slide-21
SLIDE 21

Can we achieve any meaningful security?

Weaken SPRP security no<on, target indis<nguishability from different ideal object “Strong extended pseudorandom permuta/on”

slide-22
SLIDE 22

SEPRP security

A permuta<on is an SEPRP if indis<nguishable from permuta<on sampled uniformly subject to ∀t ∈ T, ZZk’(t) = Fk*(t) Key intui<on: Generalize message recovery no<on from [BRRS]. One hidden bit (membership in T), so 2x queries Theorem (informal): Zig-Zag is an SEPRP. Theorem (informal): SEPRP gives at most a factor-of-2 speedup in message recovery game from [BRRS].

slide-23
SLIDE 23

Other considera<ons

  • If adversary only knows |T|, modified Zig-Zag

can meet SPRP (see paper)

  • Variable <ming for some inputs

+ Timing side channel only leaks membership in T

  • Rank-encipher-unrank construc<on

+ Fast in worst case – High storage overhead, cache side channels

slide-24
SLIDE 24

Summary

Introduce backwards-compa<ble crypto

We give generic algorithm (Zig-Zag) for backwards-compa<ble FPE Achieved domain comple,on and domain extension for FPE using the Zig-Zag algorithm. Our techniques are efficient, provably secure, and solve real problems for prac<<oners

Thanks for listening! Any ques<ons?