PAEQ: Parallelizable Permutation-based Authenticated Encryption - PowerPoint PPT Presentation

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014

Authenticated encryption

Simple encryption If you just want to protect confidentiality of your data, you use (simple) symmetric encryption: encrypt Plaintext X use and transmit Nonce N E K Ciphertext C N • Agree on the key K ; • Choose nonce N uniquely for each piece of data; • Encrypt and send. Good encryption scheme makes ciphertexts look random (even if plaintexts repeat).

Simple encryption If you just want to protect confidentiality of your data, you use (simple) symmetric encryption: encrypt Plaintext X use and transmit Nonce N E K Ciphertext C N • Agree on the key K ; • Choose nonce N uniquely for each piece of data; • Encrypt and send. Good encryption scheme makes ciphertexts look random (even if plaintexts repeat). No integrity protection.

Encryption and authentication If you also want to protect integrity of your data (i.e. authenticate the message), you use authenticated encryption : encrypt and authenticate Plaintext X use and transmit N E K Ciphertext C T N Tag • Tag T is added to each ciphertext; • Adversary can not modify C || T without getting noticed. Good encryption scheme should decrypt forged ciphertext to ⊥ (invalid).

Encryption and authentication If you also want to protect integrity of your data (i.e. authenticate the message), you use authenticated encryption : encrypt and authenticate Plaintext X use and transmit N E K Ciphertext C T N Tag • Tag T is added to each ciphertext; • Adversary can not modify C || T without getting noticed. Good encryption scheme should decrypt forged ciphertext to ⊥ (invalid). We might also want to authenticate some data without encrypting it (associated data).

Authenticated encryption with associated data AD Message Nonce encrypt and authenticate authenticate and bind A M use and transmit N E K A C T N Confidentiality: • Ciphertexts indistinguishable from random strings; Data integrity: • Most of seemingly valid ciphertexts decrypt to ⊥ .

Desirable features Non-exhaustive list of authenticated encryption features: • Parallelizability to fully use multi-core CPU; • Incremental tags to avoid recomputing the entire ciphertext; • Security proof; • Reasonable performance; • Compact implementation.

What we also want

Extra features AD Message Nonce encrypt and authenticate authenticate and bind A M use and transmit N E K A C T N Some extra features: • Easy to understand and implement. • Security level equal to the key length (does not hold for AES-CBC/GCM/OCB). • More compact and verifiable security proofs. • No extra operations like key derivation, field multiplications etc. (makes the design more complex).

Extra features AD Message Nonce encrypt and authenticate authenticate and bind A M use and transmit N E K A C T N Some extra features: • Easy to understand and implement. • Security level equal to the key length (does not hold for AES-CBC/GCM/OCB). • More compact and verifiable security proofs. • No extra operations like key derivation, field multiplications etc. (makes the design more complex). Solution: design a permutation-based mode, not a blockcipher one.

Permutation-based

Two ways of encryption How to construct a variable-length cipher: E K = K F K F K F • Each component is keyed function F K ; • Security reduces to pseudorandomness of F (unpredictable under a random key).

Two ways of encryption How to construct a variable-length cipher: K K K E K = F F F • Each component is a fixed public function F ; • Security proven if F is randomly chosen (while in fact it is not).

Permutation-based Why permutation-based? • A wide permutation can take key, nonce, counter, intermediate values, or a message block altogether as input. • Plenty of designs: different widths and optimizations; • The underlying permutation is easier to design and analyze (no need to care of key schedule, mask generation, nonce formatting, etc.).

Permutation-based Why permutation-based? • A wide permutation can take key, nonce, counter, intermediate values, or a message block altogether as input. • Plenty of designs: different widths and optimizations; • The underlying permutation is easier to design and analyze (no need to care of key schedule, mask generation, nonce formatting, etc.). Cons: • Weaker security model (random permutation); • Lower throughput (larger calls/byte ratio).

80- and 128-bit security

Beyond 64-bit security Most popular modes suggest using AES (128-bit block) as the underlying blockcipher.

Beyond 64-bit security Most popular modes suggest using AES (128-bit block) as the underlying blockcipher. No security guaranteed as the number of invocations q approaches 2 n / 2 = 2 64 .

Beyond 64-bit security Most popular modes suggest using AES (128-bit block) as the underlying blockcipher. No security guaranteed as the number of invocations q approaches 2 n / 2 = 2 64 . We want to offer a higher security margin.

PAEQ

PAEQ Our new scheme PAEQ has Basic features: • Fully parallelizable; Extra features: • Handles associated data; • Security level up to 128 bits and higher • Variable key/nonce/tag (up to w / 3) and equal to the key length; length; • Compact security proof in the random • Patent-free; permutation setting; • Online encryption and • Permutation inputs and outputs are authentication, no length linked by only XORs and counters, no awareness; extra operations; • Byte-oriented. • Only forward permutation calls. • Incremental tag (for max tag length).

PAEQ Encryption 16 s r k V 1 D 0 1 N K D 0 2 N K D 0 t N K Binding associated data F F F n − k − 16 W 1 P 1 P 2 P t k k k C 1 C 2 C t D 5 if last block is padded k k D 2 D 2 D 2 16 X 1 D 4 1 A 1 K D 4 2 A 2 K D 4 p A p K F F F F F F Y 1 n − k − 16 Authentication 16 k Z K D 6 Encryption of the last block of length t ′ F D i = ( k, i + r (mod 256)) D 1 t N K K key, k bits K nonce, r bits T N r + s ≥ 2 k F 1 counter, s bits optional truncation P t t ′ Nonce-misuse option k C t r D 3 2k N F F 0 F Q 1 Q 2 Q m 96 96 16 16 Q : 10 ∗ 1 K P A plaintext key key plaintext AD sponge length AD length padding nonce length length

PAEQ: encryption Encryption: 16 k r s K N K N K N t D 0 1 D 0 2 D 0 F F F r + s k C 1 C 2 C t M 1 M 2 M t or D 1 K N t F C t M t t ′ • Counter mode with PRF; • Confidentiality basically follows from the properties of CTR.

PAEQ: authentication Authentication: F K ( N, 1) F K ( N, 2) F K ( N, t ) D 5 if last block is padded D 2 C 1 D 2 C 2 D 2 C t k k k D 4 K A 1 1 D 4 K A 2 2 D 4 K A p p F F F F F F k ≥ 2 k k ≥ 2 k ≥ 2 k 16 k D 6 K Z F K T optional truncation • PMAC style with additional input from the encryption part; • If the tag has full length, it can be updated with a few extra calls.

Security proof PAEQ comes with several security proofs. Confidentiality and integrity are established up to 2 k total queries to F : ( A ) ≤ 3 q Adv conf 2 k ; Π 2 τ + 4 q Π ( A ) ≤ q Adv int 2 k . where k — key length, τ — tag length, q — total number of queries to F . If the nonce is misused, integrity is still established up to 2 k / 2 queries.

Internal permutation Encryption 16 k r s D 0 K N 1 D 0 K N 2 D 0 K N t Binding associated data F F F r + s k C 1 C 2 C t D 5 if last block is padded k k D 2 M 1 D 2 M 2 D 2 M t 16 D 4 K A 1 1 D 4 K A 2 2 D 4 K A p p F F F F F F q + s 16 q + s r + s q + s 16 k K Z D 6 Authentication F K D i = 256 · k + r + i T K key, k bits optional truncation N nonce, r bits r + s ≥ 2 k 1 counter, s bits We use our own permutation — AESQ.

AESQ

AESQ New 512-bit permutation aimed at modern CPUs: • 4 parallel AES states; • 2 AES rounds alternated with column shuffle; • Simple round constants; • 20 rounds in total. 2 rounds of AESQ: SB SRMC SB SRMC SB SRMC SB SRMC 1 2 3 4 SB SRMC SB SRMC SB SRMC SB SRMC 5 6 7 8

Properties of AESQ Running two instances of AESQ in parallel yields highest throughput on Haswell processors. SB SRMC SB SRMC SB SRMC SB SRMC 1 2 3 4 SB SRMC SB SRMC SB SRMC SB SRMC 5 6 7 8 Security of AESQ: • Differential/linear properties disappear after 8 rounds; • Rebound attacks stop at 12 rounds; • Preimage/distinguishing attacks stop at 12-14 rounds.

Performance estimates Benchmarks on the Haswell CPU: Security level / Key length PAEQ (20 rounds, cycles per byte) 64 4.9 80 5.1 128 5.8 256 8.9

Questions?