New Blockcipher Modes of Operation with Beyond the Birthday Bound - - PowerPoint PPT Presentation

new blockcipher modes of operation with beyond the
SMART_READER_LITE
LIVE PREVIEW

New Blockcipher Modes of Operation with Beyond the Birthday Bound - - PowerPoint PPT Presentation

Sep 17, 2023 1.06k likes •1.43k views

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

slide-1
SLIDE 1

✓ ✏

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security

✒ ✑

Tetsu Iwata Ibaraki University

March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 15–17, 2006

slide-2
SLIDE 2

Blockcipher Modes Algorithms that provide ⎧ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎩

  • privacy

(encryption mode)

  • authenticity

(MAC)

  • privacy and authenticity (AE mode)
  • · · ·

based on blockciphers.

2

slide-3
SLIDE 3

Blockcipher Modes Algorithms that provide ⎧ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎩ ⊲ privacy (encryption mode)

  • authenticity

(MAC) ⊲ privacy and authenticity (AE mode)

  • · · ·

based on blockciphers.

3

slide-4
SLIDE 4

Known Encryption Modes ⎧ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎩ ⊲ CTR

  • CBC
  • OFB
  • CFB
  • ECB
  • · · ·

4

slide-5
SLIDE 5

CTR

ctr

✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

S0 S1 S2 S3 S4 S5 S6 S7

  • S = (S0, S1, . . . , S7): keystream
  • Encryption: C = M ⊕ S
  • Decryption: M = C ⊕ S

5

slide-6
SLIDE 6

Advantages of CTR

  • provable security
  • security proofs with the standard PRP assumption
  • highly efficient
  • single blockcipher key
  • fully parallelizable
  • allows precomputation of keystream
  • allows random access

6

slide-7
SLIDE 7

Security Definition

  • “Indistinguishability from random strings”

(Rogaway, Bellare, Black, Krovetz, ’03)

  • Scenario: Adaptive chosen plaintext attack
  • Goal: To distinguish between

– “real ciphertext” – “truly random string” (of the same length as ciphertext)

7

slide-8
SLIDE 8

Keystream Generation Part of CTR

ctr

✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

S0 S1 S2 S3 S4 S5 S6 S7

✲ ✓ ✏

Si = Sj since EK(·) is a permutation.

✒ ✑ 8

slide-9
SLIDE 9

Keystream Generation Part of CTR

  • If S = (S0, . . . , Sσ−1) is the keystream of CTR,

Pr(Si = Sj) = 0.

  • If S = (S0, . . . , Sσ−1) is the truly random string,

0.3σ(σ − 1) 2n ≤ Pr(Si = Sj) ≤ 0.5σ(σ − 1) 2n . (n: length of Si in bits, block size of E)

9

slide-10
SLIDE 10

Keystream Generation Part of CTR

  • For any A, Advpriv

CTR(A) ≤ 0.5σ(σ − 1)

2n .

✓ ✏

Birthday Bound

✒ ✑

  • There exists A s.t. Advpriv

CTR(A) > 0.3σ(σ − 1)

2n . ⊲ A guesses “random string” if there is a collision. ⊲ Otherwise A guesses “ciphertext of CTR.”

10

slide-11
SLIDE 11

Security of CTR

✓ ✏

CTR can NOT have beyond the birthday bound security (as long as EK(·) is a permutation).

✒ ✑ 11

slide-12
SLIDE 12

Our Work: New Encryption Mode

✓ ✏

CENC · · · Cipher-based ENCryption

✒ ✑ ✓ ✏

beyond the birthday bound security without breaking advantages of CTR

✒ ✑ 12

slide-13
SLIDE 13

The Basic Idea

  • Convert EK(·) into a function.
  • GK(x) = EK(x0) ⊕ EK(x1), x ∈ {0, 1}n−1

(Lucks ’00, Bellare and Impagliazzo ’99)

x0

EK

✲ ❢ ✛

EK x1

❄ ❄

G(x)

13

slide-14
SLIDE 14

CENC Parameters

  • Blockcipher E : {0, 1}k × {0, 1}n → {0, 1}n
  • Nonce length: ℓnonce bits, ℓnonce < n
  • Frame width: w

14

slide-15
SLIDE 15

Keystream Generation Part of CENC

ctr

✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ 15

slide-16
SLIDE 16

Keystream Generation Part of CENC

ctr

✲ s inc ❄

EK

✲ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲

  • L: mask

16

slide-17
SLIDE 17

Keystream Generation Part of CENC

ctr

✲ s inc ❄

EK

✲ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

❄ ✲ s inc ❄

EK

S0 S1 S2

  • w blocks (1 frame)
  • w: frame width, default: w = 28 = 256

17

slide-18
SLIDE 18

Keystream Generation Part of CENC

ctr

✲ s inc ❄

EK

✲ ✲ s inc ❄

EK

✲ ✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L S0 S1 S2 S3 S4 S5

✲ 18

slide-19
SLIDE 19

Keystream Generation Part of CENC

ctr

✲ s inc ❄

EK

✲ ✲ s inc ❄

EK

✲ ✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L S0 S1 S2 S3 S4 S5

  • N: Nonce, ctr ← N0 · · · 0
  • default: |N| = ℓnonce = n/2

19

slide-20
SLIDE 20

Encryption Algorithm of CENC

N0 · · · 0 ↓ ctr

✲ s inc ❄

EK

✲ ✲ s inc ❄

EK

✲ ✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L

✲ s inc ❄

EK

❄ ❢ ❄ ✲

L S0 S1 S2 S3 S4 S5

✲ ❄ ❢ ✲ ❄

C0 M0

❄ ❢ ✲ ❄

C1 M1

❄ ❢ ✲ ❄

C2 M2

❄ ❢ ✲ ❄

C3 M3

❄ ❢ ✲ ❄

C4 M4

❄ ❢ ✲ ❄

C5 M5

20

slide-21
SLIDE 21

Advantages of CENC ⊲ provable security — beyond the birthday bound

  • security proofs with the standard PRP assumption

⊲ highly efficient — small cost

  • single blockcipher key
  • fully parallelizable
  • allows precomputation of keystream
  • allows random access

21

slide-22
SLIDE 22

Indistinguishability from Random Strings A CENCK(·) R(·) Encryption Oracle Random String Oracle

✲ ✛ ✛ ✲

(N, M) C = CENCK(N, M) (N ′, M ′) C′ = random string A must not repeat nonce Advpriv

CENC(A) def

=

  • Pr

K (ACENCK(·,·) = 1) − Pr R (AR(·,·) = 1)

  • 22
slide-23
SLIDE 23

Security Definition for E (PRP, LR ’88) B EK(·) P(·) Blockcipher Oracle Random Permutation Oracle

✲ ✛ ✛ ✲

X Y = EK(X) X′ Y ′ = P(X′) Advprp

E (B) def

=

  • Pr

K (BEK(·) = 1) − Pr P (BP(·) = 1)

  • 23
slide-24
SLIDE 24
  • Theorem. If there exists A against CENC such that:
  • at most q queries, and
  • at most σ blocks,

then there exists B against E such that:

  • time(B) = time(A) + O(nˆ

σw),

  • at most (w + 1)ˆ

σ/w queries, and

  • Advprp

E (B) ≥ Advpriv CENC(A) − wˆ

σ3 22n−3 − wˆ σ 2n , where ˆ σ = σ + qw.

24

slide-25
SLIDE 25

Interpretation

✓ ✏

  • CENC is secure up to 282 blocks (AES, w = 28).

⊲ CTR is secure up to 264 blocks.

✒ ✑ ✓ ✏

If we encrypt σ ≤ 2n/2 blocks,

  • Advpriv

CENC(A) ≤ wˆ

σ3 22n−3 + wˆ σ 2n ≤ 2wˆ σ 2n ⊲ Advpriv

CTR(A) ≤ 0.5σ2

2n (w: constant, ˆ σ ≈ σ)

✒ ✑ 25

slide-26
SLIDE 26

Cost for the Security Improvement

✓ ✏

w + 1 blockcipher calls for w blocks of keystream

✒ ✑

  • 257 calls to encrypt 256 blocks (Default: w = 28)

⊲ The cost is 1/257 = 0.4% compared to CTR.

  • 1 frame is w blocks, which is 4KBytes.

⊲ 99.9% of the Internet traffic is less than 1.5KBytes. ⊲ The cost is one blockcipher call compared to CTR.

26

slide-27
SLIDE 27

New Authenticated-Encryption Mode

✓ ✏

CHM · · · CENC with Hash-based MAC

✒ ✑

  • CENC for privacy.
  • Hash-based MAC (Wegman-Carter MAC) for au-

thenticity.

  • Beyond the birthday bound security.
  • Similar to GCM by McGrew & Viega.

27

slide-28
SLIDE 28

Open Question

✓ ✏

⊲ The security bound of CTR is tight.

  • ∀A, Advpriv

CTR(A) ≤ 0.5σ(σ − 1)/2n

  • ∃A, Advpriv

CTR(A) > 0.3σ(σ − 1)/2n

✒ ✑ ✓ ✏

∀A, Advpriv

CENC(A) ≤ wˆ

σ3/22n−3 + wˆ σ/2n

✒ ✑

⊲ Improve the security bound ⊲ Attack with Advpriv

CENC(A) > Ω(wˆ

σ3/22n−3 + wˆ σ/2n)

28

slide-29
SLIDE 29

Conjecture

✓ ✏

The security bound can be improved. ∀A, Advpriv

CENC(A) ≤ O(wˆ

σ/2n)

✒ ✑ 29

slide-30
SLIDE 30

Conclusion

✓ ✏

  • New encryption mode, CENC
  • New AE mode, CHM
  • beyond the birthday bound security

✒ ✑

Questions? Tetsu Iwata iwata@cis.ibaraki.ac.jp

30