RIV and Resilient Authenticated Encryption Farzaneh Abed 1 , - - PowerPoint PPT Presentation

RIV and Resilient Authenticated Encryption

Farzaneh Abed1, Christian Forler2, Eik List1, Stefan Lucks1, Jakob Wenzel1

1 Bauhaus-Universität Weimar 2 Hochschule Schmalkalden

Dagstuhl, Jan 10-15, 2016

Section 1 RIV

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 2/19

What is RIV?

Nonce-based AE scheme

Authenticity and privacy in standard setting

Derived from SIV Robust

Full authenticity + DAE-privacy under nonce re-use (like SIV) Preserves security properties under release of unverified plaintexts (unlike SIV)

Provably secure, assuming only the AES is secure Inverse-free Efficient instantiation (pseudo-dot-product hashing + AES)

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 3/19

Recent Definitions for “Robustness”

Boldyreva et al.’13 Studied effects of multiple distintinguishable error messages in probabilistic or stateful schemes. Andreeva et al.’14 Captured remaining security under release of unverified plaintexts (RUP). Hoang et al.’15 Defined robust AE (RAE) as a notion for best achievable security of an AE scheme with a user-chosen ciphertext expansion. Badertscher et al.’15 Investigated RAE with the frameworks by Maurer and Renner. Barwell et al.’15 Defined subtle AE as reference framework for the

• ther notions. Model leakage beyond that of invalid

plaintext; allows to model leakage as a property of the decryption implementation rather than of the scheme.

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 4/19

Previous Robust AE Schemes

Four CAESAR candidates:

Julius [Bahack]: no 2nd-round CAESAR candidate POET [Abed et al.]: on-line APE [Andreeva et al.]: on-line AEZ [Hoang et al.]: “proof-then-prune” (see below)

Beyond CAESAR:

• Mr. Monster Burrito [Bertoni et al.’14]

Protected IV [Shrimpton and Terashima’13] OleF [Bhaumik and Nandi’15]: on-line mCPFB [Chakraborti et al.’15]: on-line, rate-3/4 sp-AELM [Agrawal et al.’15]: on-line encryption, off-line decryption

Theoretically, any secure STPRP can be transformed into a robust AE scheme using Encode-then-Encipher [Hoang et al.’14].

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 5/19

“Prove” – AEZ, as Proven Secure

black boxes: block ciphers

• X

1 m+1 m+1 M m m m M C’ 1 1 M’ M 1 C’ C1 Cm Cm+1 m+1 C’ M’ M’

last 2 blocks .......... first 2m message blocks ..........

Y Y 1 Y m X m X S S S

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 6/19

“Then Prune” – The Proposed Instantiation of AEZ

Except for two calls, all block-cipher invocations are replaced by 4-round AES

• m+1

m+1 M m m m M C’ 1 1 M’ M 1 C’ C1 Cm Cm+1 m+1 C’ M’ M’

last 2 blocks .......... first 2m message blocks ..........

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 7/19

“Deterministic AE” with SIV

Rogaway and Shrimpton’06

M PRF CTR T C H/N

H/N: Header and nonce M: Message C/T: Ciphertext (with tag)

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 8/19

“Deterministic AE” with SIV

Rogaway and Shrimpton’06

M PRF CTR T C H/N

H/N: Header and nonce M: Message C/T: Ciphertext (with tag) Secure against nonce-respecting adversaries

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 8/19

“Deterministic AE” with SIV

Rogaway and Shrimpton’06

M PRF CTR T C H/N

H/N: Header and nonce M: Message C/T: Ciphertext (with tag) Secure against nonce-respecting adversaries Maximum resilience to nonce reuse

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 8/19

“Deterministic AE” with SIV

Rogaway and Shrimpton’06

M PRF CTR T C H/N

H/N: Header and nonce M: Message C/T: Ciphertext (with tag) Secure against nonce-respecting adversaries Maximum resilience to nonce reuse Off-line

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 8/19

“Deterministic AE” with SIV

Rogaway and Shrimpton’06

M PRF CTR T C H/N

H/N: Header and nonce M: Message C/T: Ciphertext (with tag) Secure against nonce-respecting adversaries Maximum resilience to nonce reuse Off-line No resilience to RUP (≈ one-time-pad used twice)

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 8/19

RIV: SIV with one more round

M H/N zero CTR T C R PRF−1 PRF−2

H/N: Header and nonce M: Message C/T: Ciphertext (with tag) zero: constant 0n

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 9/19

RIV: SIV with one more round

M H/N zero CTR T C R PRF−1 PRF−2

H/N: Header and nonce M: Message C/T: Ciphertext (with tag) zero: constant 0n Same properties as SIV Except for Maximum resilience to RUP

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 9/19

RIV: Ideas for Security Proof

Security up to birthday bound

M H/N zero CTR T C R PRF−1 PRF−2

Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new query (H/N, M)

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 10/19

RIV: Ideas for Security Proof

Security up to birthday bound

M H/N zero CTR T C

R

PRF−1 PRF−2

Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new query (H/N, M)

→ C and T are random

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 10/19

RIV: Ideas for Security Proof

Security up to birthday bound

M H/N zero CTR T C R PRF−1 PRF−2

Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new query (H/N, M)

→ C and T are random

Chosen (H/N. T. C):

PRF-2 will produce a random R for every new (H/N, C)

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 10/19

RIV: Ideas for Security Proof

Security up to birthday bound

M H/N zero CTR T C R PRF−1 PRF−2

Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new query (H/N, M)

→ C and T are random

Chosen (H/N. T. C):

PRF-2 will produce a random R for every new (H/N, C) For old (H/N, C) the value T must be new – and thus R

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 10/19

RIV: Ideas for Security Proof

Security up to birthday bound

M H/N zero CTR T C

R

PRF−1 PRF−2

Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new query (H/N, M)

→ C and T are random

Chosen (H/N. T. C):

PRF-2 will produce a random R for every new (H/N, C) For old (H/N, C) the value T must be new – and thus R → M is random, and → Output of PRF-1 will not match

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 10/19

Instantiation of RIV

Based on AES-128 PRFs: Encode-Hash-Encrypt:

Unique encoding for inputs Apply CLHASH, a multi-stage universal hash function Feed result into block cipher

Encryption: AES in CTR mode

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 11/19

Performant Instantiation

AEZ (with 4-round AES) Two fast SIV-like schemes: MRO [Granger et al. ’15], GCM-SIV [Gueron and Lindell’15] Our SIV-x and our RIV-x (x: internal key size in bytes for CLHASH)

• 0.25

0.75 0.50 1.25 1.50 AEZ GCM−SIV MRO RIV−256 RIV−1024 cycles per byte SIV−256 SIV−1024 1.00

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 12/19

RIV in a Nutshell

Type Off-line nonce-based AE scheme Based on Block cipher + universal hash

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 13/19

RIV in a Nutshell

Type Off-line nonce-based AE scheme Based on Block cipher + universal hash Resilience ✓ Nonce reuse ✓ Release of unverified plaintext

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 13/19

RIV in a Nutshell

Type Off-line nonce-based AE scheme Based on Block cipher + universal hash Resilience ✓ Nonce reuse ✓ Release of unverified plaintext Assurance ✓ Provably secure if block cipher is secure

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 13/19

RIV in a Nutshell

Type Off-line nonce-based AE scheme Based on Block cipher + universal hash Resilience ✓ Nonce reuse ✓ Release of unverified plaintext Assurance ✓ Provably secure if block cipher is secure Inverse-free ✓ Parallelizable ✓ Static header ✓ Result can be cached

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 13/19

Section 2 Resilience

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 14/19

Why do we need “Resilience”?

Things go wrong.

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 15/19

Why do we need “Resilience”?

Things go wrong. Users do unexpected things.

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 15/19

Why do we need “Resilience”?

Things go wrong. Users do unexpected things. Cryptanalysts achieve unexpected results.

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 15/19

Why do we need “Resilience”?

Things go wrong. Users do unexpected things. Cryptanalysts achieve unexpected results. Applications are used for purposes they have not been designed for.

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 15/19

Why do we need “Resilience”?

Things go wrong. Users do unexpected things. Cryptanalysts achieve unexpected results. Applications are used for purposes they have not been designed for. Application engineers are stupid.

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 15/19

Why do we need “Resilience”?

Things go wrong. Users do unexpected things. Cryptanalysts achieve unexpected results. Applications are used for purposes they have not been designed for. Application engineers are stupid. xxxxxxxxx know less about crypto than we do.

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 15/19

Definitions for “Resilience”

https://en.wiktionary.org/wiki/resilience

1 The mental ability to recover quickly from depression, illness

• r misfortune.

2 The physical property of material that can resume its shape

after being stretched or deformed; elasticity.

3 The positive ability of a system or company to adapt itself to

the consequences of a catastrophic failure caused by power

• utage, a fire, a bomb or similar (particularly IT systems,

archives).

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 16/19

Resilience of Cryptosyytems

my definition

The positive ability of a cryptosystem to cope with violations

• f its security assumptions.

These include (but may not be limited to)

implementation failures,

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 17/19

Resilience of Cryptosyytems

my definition

The positive ability of a cryptosystem to cope with violations

• f its security assumptions.

These include (but may not be limited to)

implementation failures, usage in unanticipatedly hostile environments,

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 17/19

Resilience of Cryptosyytems

my definition

The positive ability of a cryptosystem to cope with violations

• f its security assumptions.

These include (but may not be limited to)

implementation failures, usage in unanticipatedly hostile environments, side-channel attacks,

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 17/19

Resilience of Cryptosyytems

my definition

The positive ability of a cryptosystem to cope with violations

• f its security assumptions.

These include (but may not be limited to)

implementation failures, usage in unanticipatedly hostile environments, side-channel attacks, violations of cryptographic assumptions, and

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 17/19

Resilience of Cryptosyytems

my definition

The positive ability of a cryptosystem to cope with violations

• f its security assumptions.

These include (but may not be limited to)

implementation failures, usage in unanticipatedly hostile environments, side-channel attacks, violations of cryptographic assumptions, and compromise of some trusted components of trusted processes.

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 17/19

Crypto without “Resilience”

Design cryptosystems to be secure when used as specified. If things go wrong, this is not your problem. Blame the user or the application engineer or the managers or the standardization committee or . . . Even if you win that blame game, do you think you did a good job?

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 18/19

?

Bauhaus-Universität Weimar RIV and Resilient AE Dagstuhl, Jan 10-15, 2016 19/19