salvaging weak security bounds for blockcipher based
play

Salvaging Weak Security Bounds for Blockcipher-based Constructions - PowerPoint PPT Presentation

Sep 06, 2023 •16 likes •246 views

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University of Florida) Seth Terashima (Qualcomm Technologies, inc.) What weak bounds? ...from encrypting lots of data Intel Hardware RNG: Single-machine

  1. Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University of Florida) Seth Terashima (Qualcomm Technologies, inc.)

  2. What weak bounds? ● ...from encrypting lots of data Intel Hardware RNG: Single-machine bound on Adversary exceeds 2 -30 in four months , 2 -40 in four days . With 1,000 machines (break-one-and-win), Adversary bound exceeds 2 -20 in four days. ● ...from using small block, key sizes Sensor networks, “Internet of Things”

  3. What weak bounds? ● ...from encrypting lots of data Intel Hardware RNG: Single-machine bound on Adversary exceeds 2 -30 in four months , 2 -40 in four days . With 1,000 machines (break-one-and-win), Adversary bound exceeds 2 -20 in four days. ● ...from using small block, key sizes Sensor networks, “Internet of Things” Rekeying can help, but “hybrid arguments” multiply Adversary advantage by number of keys used.

  4. Don't panic. Adversary Advantage Best known attacks Provable upper bound

  5. Case Study: NIST CTR-DRBG (Counter-mode based deterministic random bit generator) IV IV+1 IV+2 Initialize with random (K, IV) E K E K E K On each query: Update (K, IV) ← (K', IV') Return R as random value R K' IV'

  6. Case Study: NIST CTR-DRBG (Counter-mode based deterministic random bit generator) IV IV+1 IV+2 Initialize with random (K, IV) E K E K E K On each query: Update (K, IV) ← (K', IV') Return R as random value R K' IV'

  7. Case Study: NIST CTR-DRBG (Counter-mode based deterministic random bit generator) IV IV+1 IV+2 Initialize with random (K, IV) E K E K E K On each query: Update (K, IV) ← (K', IV') Return R as random value R K' IV'

  8. Case Study: NIST CTR-DRBG How tight is this bound? Generic PRP attack on q keys IV IV+1 IV+2 with q time: ● Encrypt 0 n under each of the q keys E K E K E K ● Choose q distinct keys at random, encrypt 0 n under each R K' IV' ● Look for matches (use a hash table) Attack doesn't work here because the mode of ● Advantage: ~ q 2 /2 k operation prevents it . We can't reuse a plaintext, attack q “target” keys simultaneously with a single “test” key.

  9. (Short) Construction-Specific proofs Support for Our Theorems blockcipher- dependent rekeying

  10. (Short) Construction-Specific proofs Support for Our Theorems blockcipher- dependent rekeying Recovered standard-model result

  11. (Short) Construction-Specific proofs Support for Our Theorems blockcipher- dependent rekeying Recovered Tighter ideal-cipher standard-model model bounds result + Secret/Random key guarantee + Surface precomputation effectiveness

  12. (Short) Construction-Specific proofs Support for Our Theorems blockcipher- dependent rekeying Recovered Tighter ideal-cipher TBC-based standard-model model bounds construction result + + Secret/Random key Standard-model guarantee proof + Surface precomputation effectiveness

  13. ICM with Key-Oblivious Access Ideal Primitive Construction Decomposition (e.g., true RNG) (e.g., CTR-DRBG) (Mode + Scheduler) World 1 World 2 World 3 Identical black-box behavior Hard to distinguish (when blockcipher replaced w/ secret random function)

  14. Key-Oblivious Access Blockcipher Blockcipher query(n, X) Construction (e.g., CTR-DRBG) Mode Key Scheduler If i th Key Scheduler output is ( j , X ), assign: A decomposition (right) is faithful to a construction (left) if no adversary can distinguish the two.

  15. Key-Oblivious Access Blockcipher A mode is compatible with a scheduler if they cannot be forced query(n, X) to evaluate query at the same point (n, X). Only constructions that use random, secret keys have Mode Key Scheduler compatible decompositions . ● Allows reduction to standard model If i th Key Scheduler output ● Guarantees no related keys, is ( j , X ), assign: weak keys

  16. Using the model (what you need to do) Correctness – Find a compatible decomposition Efficiency – Bound the number of blockcipher queries made per adversary query, bound number of key handles used Sparsity – No input block is encrypted under more than μ key handles (except with probability ε ) ICM-KOA Security – Show Adversary has advantage δ when distinguishing decomposition from ideal primitive when the blockcipher is replaced by a random function that the adversary cannot compute “offline”.

  17. Case Study: NIST CTR-DRBG IV IV+1 IV+2 Initialize with random (K, IV) On each query: E K E K E K Update (K, IV) ← (K', IV') Return R as random value R K' IV' Decomposition: The mode and scheduler both get the initial IV as a key, and track it as part of their respective states.

  18. Case Study: NIST CTR-DRBG IV IV+1 IV+2 Initialize with random (K, IV) On each query: E K E K E K Update (K, IV) ← (K', IV') Return R as random value R K' IV' Efficiency: Each key handle is used on three input blocks, and the number of key handles equals the number of adversary queries.

  19. Case Study: NIST CTR-DRBG IV IV+1 IV+2 Initialize with random (K, IV) On each query: E K E K E K Update (K, IV) ← (K', IV') Return R as random value R K' IV' Sparsity: No input block is encrypted under more than c key handles, except with probability ~ (3q) c+1 /(2 cn (c+1)!). (Generalized birthday bound).

  20. Case Study: NIST CTR-DRBG IV IV+1 IV+2 Initialize with random (K, IV) On each query: F(K,•) F(K,•) F(K,•) Update (K, IV) ← (K', IV') Return R as random value R K' IV' ICM-KOA security: If F is a random function unknown the adversary, then the RNG behaves ideally unless a (K, X) pair is reused. This happens with probability at most 5q 2 /2 2n .

  21. Case Study: NIST CTR-DRBG IV IV+1 IV+2 Initialize with random (K, IV) On each query: F(K,•) F(K,•) F(K,•) Update (K, IV) ← (K', IV') Return R as random value R K' IV' Online queries Precomputation queries Offline queries

  22. Case Study: NIST CTR-DRBG In this case, the ICM-KOA: ● Recovers the O(q 2 /2 128 ) standard model bound ( four days to pass 2 -40 ) ● Also gives an ICM result of 748,229 years (2 80 offline queries) More generally, the ICM-KOA: ● Models blockcipher-dependent rekeying ● Gives a standard-model proof ● Offers tighter ICM bounds while forcing random + secret keys ● Quantifies effectiveness of precomputation, offline queries ● Implies standard-model security of a TBC-based construction … for a small, single effort.

  23. Questions? Also in the paper: analysis of rekeyed-counter mode variants, and some general results about multi-instance distinguishability games.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth

Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth

Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth Asian Workshop on Symmetric Key Cryptography, 19%22, December 2014, SETS Chennai, India 1 Introduction Blockcipher mode : turning a blockcipher

702 views • 59 slides
Circuit Lower-bounds Lecture 24 Weak circuits are indeed weak 1 Circuit Lower-bounds 2

Circuit Lower-bounds Lecture 24 Weak circuits are indeed weak 1 Circuit Lower-bounds 2

Circuit Lower-bounds Lecture 24 Weak circuits are indeed weak 1 Circuit Lower-bounds 2 Circuit Lower-bounds Today: 2 Circuit Lower-bounds Today: PARITY AC 0 2 Circuit Lower-bounds Today: PARITY AC 0 Two different proofs! (Latter

1.59k views • 137 slides
Provability of weak circuit lower bounds J an Pich Kurt G odel Research Center University

Provability of weak circuit lower bounds J an Pich Kurt G odel Research Center University

Proof complexity, Dagstuhl 1st February 2018 Provability of weak circuit lower bounds J an Pich Kurt G odel Research Center University of Vienna based on a joint work with Moritz M uller 1 / 11 Constructive proofs of circuit lower

674 views • 40 slides
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1 , Mridul

On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1 , Mridul

On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1 , Mridul Nandi 2 , Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad, India 3 Google Inc. and Department of

605 views • 35 slides
Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research Zurich based on joint work with Jan Camenisch, Anna Lysyanskaya & Gregory Neven ROADMAP Password-Based Authentication How to make password

1.43k views • 43 slides
Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol,

Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol,

1 / 24 Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom. Sibenik, 7 June 2016 Basic Syntax of Blockciphers DES

882 views • 85 slides
Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure

Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata

470 views • 35 slides
Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (Indian

Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (Indian

Introduction Idealized Combined Feedback Construction : iCOFB Specification for COFB Hardware Implimentation Results of COFB Conclusion Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (Indian Statistical

457 views • 35 slides
Trail Bound Techniques in Primitives with Weak Alignment Silvia Mella 1 based on a joint work

Trail Bound Techniques in Primitives with Weak Alignment Silvia Mella 1 based on a joint work

Trail Bound Techniques in Primitives with Weak Alignment Silvia Mella 1 based on a joint work with Joan Daemen 2 and Gilles Van Assche 1 1 STMicroelectronics 2 Radboud University APBC 2018 Outline 1 Differential trails 2 Tree search 3 Bounds in

644 views • 50 slides
Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak , Venkatesh Raman, and Stefan Szeider SAT 2013 Backdoor Sets Introduced by Crama et al. 1997 and independently by Williams et al. 2003 in an

768 views • 12 slides
The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho Moriai 1 , Tetsu Iwata 2 1 Sony Corporation 2 Nagoya University Direction for designing a new blockcipher Priority for Choosing an algorithm 1.

464 views • 19 slides
Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in 30th Sept, ASK-2015, NTU, Singapore Symmetric Key Primitives Distinguishing Game Distinguishing a real keyed

588 views • 33 slides
Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The

Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The

Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e { 0 , 1 } n of weight w such that e H = S exist? NP-complete problem.

908 views • 31 slides
Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e { 0 , 1 } n of weight w such that e H = S exist? NP-complete problem.

445 views • 31 slides
On the Influence of Message Length in PMACs Security Bounds Atul Luykx 1 Bart Preneel 1 Alan

On the Influence of Message Length in PMACs Security Bounds Atul Luykx 1 Bart Preneel 1 Alan

On the Influence of Message Length in PMACs Security Bounds Atul Luykx 1 Bart Preneel 1 Alan Szepieniec 1 Kan Yasuda 2 1 COSIC, KU Leuven, Belgium 2 NTT Secure Platform Laboratories, Japan May 11, 2016 1 Security Bounds Factors: 1.

877 views • 64 slides
Random growth models and planted problems Graduating bits - ITCS 2016 Laura Florescu NYU

Random growth models and planted problems Graduating bits - ITCS 2016 Laura Florescu NYU

Random growth models and planted problems Graduating bits - ITCS 2016 Laura Florescu NYU January 14th, 2016 Laura Florescu NYU Random growth models and planted problems Graduating bits - ITCS 2016 January 14th, 2016 1 / 4 Bipartite

480 views • 4 slides
The generalization error of random features model: Precise asymptotics and double descent curve

The generalization error of random features model: Precise asymptotics and double descent curve

The generalization error of random features model: Precise asymptotics and double descent curve Song Mei Stanford University September 8, 2019 Joint work with Andrea Montanari Song Mei (Stanford University) Random feature regression

669 views • 22 slides
Event-Driven Random Backpropagation: Enabling Neuromorphic Deep Learning Machines Emre Neftci

Event-Driven Random Backpropagation: Enabling Neuromorphic Deep Learning Machines Emre Neftci

Event-Driven Random Backpropagation: Enabling Neuromorphic Deep Learning Machines Emre Neftci Department of Cognitive Sciences, UC Irvine, Department of Computer Science, UC Irvine, March 7, 2017 Scalable Event-Driven Learning Machines

653 views • 32 slides
Random Set Solutions to Stochastic Wave Equations Michael Oberguggenberger Lukas Wurzer ISIPTA

Random Set Solutions to Stochastic Wave Equations Michael Oberguggenberger Lukas Wurzer ISIPTA

Random Set Solutions to Stochastic Wave Equations Michael Oberguggenberger Lukas Wurzer ISIPTA 2019, Ghent, July 3 7, 2019 Ghent, July 3, 2019 Oberguggenberger/Wurzer ISIPTA 2019 Ghent, July 3, 2019 1 / 8 The Authors Michael

89 views • 8 slides
Forward-looking statements Except for the historical information contained herein, the matters

Forward-looking statements Except for the historical information contained herein, the matters

Forward-looking statements Except for the historical information contained herein, the matters discussed in this statement include forward- looking statements. In particular, all statements that express forecasts, expectations and projections with

472 views • 13 slides
A New Solution To The Random Assignment Problem By Anna Bogomolnaia, Herve Moulin Presented By

A New Solution To The Random Assignment Problem By Anna Bogomolnaia, Herve Moulin Presented By

A New Solution To The Random Assignment Problem By Anna Bogomolnaia, Herve Moulin Presented By Zach Jablons, Bharath Santosh The Assignment Problem How to best assign n objects to n agents Lotteries Random assignments of objects to

687 views • 30 slides
A common-neighbors-based random graph model for community structure Emily Fischer Cornell

A common-neighbors-based random graph model for community structure Emily Fischer Cornell

A common-neighbors-based random graph model for community structure Emily Fischer Cornell University May 12, 2017 A Exam Emily Fischer Outline 1. Introduction Preferential Attachment (PA) 2. Common Neighbors Model (CN) Degree

426 views • 38 slides
RRT-Connect: An Efficient Approach to Single-Query Path Planning James J. Kuffner, Jr. Steven M.

RRT-Connect: An Efficient Approach to Single-Query Path Planning James J. Kuffner, Jr. Steven M.

RRT-Connect: An Efficient Approach to Single-Query Path Planning James J. Kuffner, Jr. Steven M. LaValle ICRA 2000 Presented by Manel Baradad 6.882 Embodied Intelligence Spring 2020 Problem Single-query path planning, from start to goal. In

305 views • 26 slides

More recommend