PAEQ: Parallelizable Permutation-based Authenticated Encryption - - PowerPoint PPT Presentation

paeq parallelizable permutation based authenticated
SMART_READER_LITE
LIVE PREVIEW

PAEQ: Parallelizable Permutation-based Authenticated Encryption - - PowerPoint PPT Presentation

Jun 05, 2023 653 likes •994 views

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

slide-1
SLIDE 1

PAEQ: Parallelizable Permutation-based Authenticated Encryption

Alex Biryukov and Dmitry Khovratovich

University of Luxembourg

12 October 2014

slide-2
SLIDE 2

Authenticated encryption

slide-3
SLIDE 3

Simple encryption

If you just want to protect confidentiality of your data, you use (simple) symmetric encryption:

X

EK

C encrypt

N

use and transmit

N Nonce Plaintext Ciphertext

  • Agree on the key K;
  • Choose nonce N uniquely for each piece of data;
  • Encrypt and send.

Good encryption scheme makes ciphertexts look random (even if plaintexts repeat).

slide-4
SLIDE 4

Simple encryption

If you just want to protect confidentiality of your data, you use (simple) symmetric encryption:

X

EK

C encrypt

N

use and transmit

N Nonce Plaintext Ciphertext

  • Agree on the key K;
  • Choose nonce N uniquely for each piece of data;
  • Encrypt and send.

Good encryption scheme makes ciphertexts look random (even if plaintexts repeat). No integrity protection.

slide-5
SLIDE 5

Encryption and authentication

If you also want to protect integrity of your data (i.e. authenticate the message), you use authenticated encryption:

X

EK

C T authenticate encrypt and

N

use and transmit

N Plaintext Ciphertext Tag

  • Tag T is added to each ciphertext;
  • Adversary can not modify C||T without getting noticed.

Good encryption scheme should decrypt forged ciphertext to ⊥ (invalid).

slide-6
SLIDE 6

Encryption and authentication

If you also want to protect integrity of your data (i.e. authenticate the message), you use authenticated encryption:

X

EK

C T authenticate encrypt and

N

use and transmit

N Plaintext Ciphertext Tag

  • Tag T is added to each ciphertext;
  • Adversary can not modify C||T without getting noticed.

Good encryption scheme should decrypt forged ciphertext to ⊥ (invalid). We might also want to authenticate some data without encrypting it (associated data).

slide-7
SLIDE 7

Authenticated encryption with associated data

M A

EK

C T A authenticate and bind authenticate encrypt and

N

use and transmit

N

AD Message Nonce

Confidentiality:

  • Ciphertexts indistinguishable from random strings;

Data integrity:

  • Most of seemingly valid ciphertexts decrypt to ⊥.
slide-8
SLIDE 8

Desirable features

Non-exhaustive list of authenticated encryption features:

  • Parallelizability to fully use multi-core CPU;
  • Incremental tags to avoid recomputing the entire ciphertext;
  • Security proof;
  • Reasonable performance;
  • Compact implementation.
slide-9
SLIDE 9

What we also want

slide-10
SLIDE 10

Extra features

M A

EK

C T A authenticate and bind authenticate encrypt and

N

use and transmit

N

AD Message Nonce

Some extra features:

  • Easy to understand and implement.
  • Security level equal to the key length (does not hold for

AES-CBC/GCM/OCB).

  • More compact and verifiable security proofs.
  • No extra operations like key derivation, field multiplications
  • etc. (makes the design more complex).
slide-11
SLIDE 11

Extra features

M A

EK

C T A authenticate and bind authenticate encrypt and

N

use and transmit

N

AD Message Nonce

Some extra features:

  • Easy to understand and implement.
  • Security level equal to the key length (does not hold for

AES-CBC/GCM/OCB).

  • More compact and verifiable security proofs.
  • No extra operations like key derivation, field multiplications
  • etc. (makes the design more complex).

Solution: design a permutation-based mode, not a blockcipher one.

slide-12
SLIDE 12

Permutation-based

slide-13
SLIDE 13

Two ways of encryption

How to construct a variable-length cipher:

EK

=

K

F

K

F

K

F

  • Each component is keyed function FK;
  • Security reduces to pseudorandomness of F (unpredictable

under a random key).

slide-14
SLIDE 14

Two ways of encryption

How to construct a variable-length cipher:

EK

=

K

F

K

F

K

F

  • Each component is a fixed public function F;
  • Security proven if F is randomly chosen (while in fact it is not).
slide-15
SLIDE 15

Permutation-based

Why permutation-based?

  • A wide permutation can take key, nonce, counter, intermediate

values, or a message block altogether as input.

  • Plenty of designs: different widths and optimizations;
  • The underlying permutation is easier to design and analyze (no

need to care of key schedule, mask generation, nonce formatting, etc.).

slide-16
SLIDE 16

Permutation-based

Why permutation-based?

  • A wide permutation can take key, nonce, counter, intermediate

values, or a message block altogether as input.

  • Plenty of designs: different widths and optimizations;
  • The underlying permutation is easier to design and analyze (no

need to care of key schedule, mask generation, nonce formatting, etc.). Cons:

  • Weaker security model (random permutation);
  • Lower throughput (larger calls/byte ratio).
slide-17
SLIDE 17

80- and 128-bit security

slide-18
SLIDE 18

Beyond 64-bit security

Most popular modes suggest using AES (128-bit block) as the underlying blockcipher.

slide-19
SLIDE 19

Beyond 64-bit security

Most popular modes suggest using AES (128-bit block) as the underlying blockcipher. No security guaranteed as the number of invocations q approaches 2n/2 = 264.

slide-20
SLIDE 20

Beyond 64-bit security

Most popular modes suggest using AES (128-bit block) as the underlying blockcipher. No security guaranteed as the number of invocations q approaches 2n/2 = 264. We want to offer a higher security margin.

slide-21
SLIDE 21

PAEQ

slide-22
SLIDE 22

PAEQ

Our new scheme PAEQ has Basic features:

  • Fully parallelizable;
  • Handles associated data;
  • Variable key/nonce/tag

length;

  • Patent-free;
  • Online encryption and

authentication, no length awareness;

  • Byte-oriented.
  • Incremental tag (for max

tag length). Extra features:

  • Security level up to 128 bits and higher

(up to w/3) and equal to the key length;

  • Compact security proof in the random

permutation setting;

  • Permutation inputs and outputs are

linked by only XORs and counters, no extra operations;

  • Only forward permutation calls.
slide-23
SLIDE 23

PAEQ

T K N 1 P1

F F

K

F

C1

  • ptional

truncation

K

F

A1 K

D5 if last block is padded

Encryption Binding associated data Authentication

K

key, k bits

N

nonce, r bits

1

counter, s bits

Pt Ct t′

Encryption of the last block of length t′

1

n − k − 16

k r + s ≥ 2k 16 16 k

D0

k Z

D2

k 16 r s

D4

k

D6

Di = (k, i + r (mod 256))

Y1 X1 W1 V1

n − k − 16

Nonce-misuse option

Q1

F

Q2 Qm

F

N r 2k P A 96 96 10∗1

plaintext length AD length plaintext AD sponge padding

Q:

K

key key length nonce length

16 16 K N 2 P2

F F

C2 k

D0 D2

K N t Pt

F F

Ct k

D0 D2

F

A2 K 2

D4

F

Ap K p

D4

K N t

F F

k

D1 D3
slide-24
SLIDE 24

PAEQ: encryption

Encryption:

K N 1 M1

F

N 2 M2

F

N t Mt

F

C1 C2 Ct K K r + s k

D0

k 16 r s

D0 D0

N t Mt

F

Ct K t′

D1

  • r
  • Counter mode with PRF;
  • Confidentiality basically follows from the properties of CTR.
slide-25
SLIDE 25

PAEQ: authentication

Authentication:

T

F F F

K

F

C1

  • ptional

truncation

K

F

A1 K

F F

D5 if last block is padded

1 16 k ≥ 2k k Z

D2 D4

k A2 K 2

D4

Ap K p

D4 D6

FK(N, 1) C2

D2

FK(N, 2) Ct

D2

FK(N, t) k ≥ 2k k k ≥ 2k

  • PMAC style with additional input from the encryption part;
  • If the tag has full length, it can be updated with a few extra

calls.

slide-26
SLIDE 26

Security proof

PAEQ comes with several security proofs. Confidentiality and integrity are established up to 2k total queries to F: Advconf

Π

(A) ≤ 3q 2k ; Advint

Π (A) ≤ q

2τ + 4q 2k . where k — key length, τ — tag length, q — total number of queries to F. If the nonce is misused, integrity is still established up to 2k/2 queries.

slide-27
SLIDE 27

Internal permutation

T K N 1 M1

F F

N 2 M2

F F

N t Mt

F F

K

F

C1 C2 Ct

  • ptional

truncation

K

F

A1 K

F F

D5 if last block is padded

Encryption Binding associated data Authentication

K

key, k bits

N

nonce, r bits

1

counter, s bits

K K 1 r + s k q + s r + s ≥ 2k q + s 16 16 16 k q + s r + s

D0

k Z

D2

k 16 r s

D0 D2 D0 D2 D4

k A2 K 2

D4

Ap K p

D4 D6

Di = 256 · k + r + i

We use our own permutation — AESQ.

slide-28
SLIDE 28

AESQ

slide-29
SLIDE 29

AESQ

New 512-bit permutation aimed at modern CPUs:

  • 4 parallel AES states;
  • 2 AES rounds alternated with column shuffle;
  • Simple round constants;
  • 20 rounds in total.

2 rounds of AESQ:

SB SRMC 1 SB SRMC 5 SB SRMC 2 SB SRMC 6 SB SRMC 3 SB SRMC 7 SB SRMC 4 SB SRMC 8

slide-30
SLIDE 30

Properties of AESQ

Running two instances of AESQ in parallel yields highest throughput on Haswell processors.

SB SRMC 1 SB SRMC 5 SB SRMC 2 SB SRMC 6 SB SRMC 3 SB SRMC 7 SB SRMC 4 SB SRMC 8

Security of AESQ:

  • Differential/linear properties disappear after 8 rounds;
  • Rebound attacks stop at 12 rounds;
  • Preimage/distinguishing attacks stop at 12-14 rounds.
slide-31
SLIDE 31

Performance estimates

Benchmarks on the Haswell CPU: Security level / Key length PAEQ (20 rounds, cycles per byte) 64 4.9 80 5.1 128 5.8 256 8.9

slide-32
SLIDE 32

Questions?