[PPT] - Stronger security bounds Standard polynomial-evaluation for PowerPoint Presentation

SLIDE 1

Stronger security bounds for Wegman-Carter-Shoup authenticators

D. J. Bernstein

Thanks to: University of Illinois at Chicago NSF CCR–9983950 Alfred P. Sloan Foundation Standard polynomial-evaluation MAC: sender sends (1

1
1(

✁ ) + ✂ 1);

(2

2
2(

✁ ) + ✂ 2);

(3

3
3(

✁ ) + ✂ 3).

1

2
3: polynomials over

; univariate; degree 216; constant coefficient 0.

✁

✂ 1
✂ 2
✂ 3: elements of

; secret; known to sender, receiver. : field of size 2128.

SLIDE 2

bounds rter-Shoup Illinois at Chicago CCR–9983950 Foundation Standard polynomial-evaluation MAC: sender sends (1

1
1(

✁ ) + ✂ 1);

(2

2
2(

✁ ) + ✂ 2);

(3

3
3(

✁ ) + ✂ 3).

1

2
3: polynomials over

; univariate; degree 216; constant coefficient 0.

✁

✂ 1
✂ 2
✂ 3: elements of

; secret; known to sender, receiver. : field of size 2128. Wegman-Carter version: (

✁

✂ 1
✂ 2
✂ 3) is a unifo

random element of 2512 possibilities, each equally likely. Wegman-Carter-Shoup

✂ 1 = ✂ 2; ✂ 1 = ✂ 3; ✂ ✂

therwise uniform.

2256(2128

1)(2128
possibilities, each equally

How secure are these

SLIDE 3

Standard polynomial-evaluation MAC: sender sends (1

1
1(

✁ ) + ✂ 1);

(2

2
2(

✁ ) + ✂ 2);

(3

3
3(

✁ ) + ✂ 3).

1

2
3: polynomials over

; univariate; degree 216; constant coefficient 0.

✁

✂ 1
✂ 2
✂ 3: elements of

; secret; known to sender, receiver. : field of size 2128. Wegman-Carter version: (

✁

✂ 1
✂ 2
✂ 3) is a uniform

random element of

4. 2512 possibilities, each equally likely. Wegman-Carter-Shoup version:

✂ 1 = ✂ 2; ✂ 1 = ✂ 3; ✂ 2 = ✂ 3;

therwise uniform.

2256(2128

1)(2128
2)

possibilities, each equally likely. How secure are these MACs?

SLIDE 4

lynomial-evaluation

sends

✁

✂ 1);

✁

✂ 2);

✁

✂ 3).

lynomials over

; degree 216; efficient 0.

✁

✂
✂
✂

elements of ; sender, receiver.

128. Wegman-Carter version: (

✁

✂ 1
✂ 2
✂ 3) is a uniform

random element of

4. 2512 possibilities, each equally likely. Wegman-Carter-Shoup version:

✂ 1 = ✂ 2; ✂ 1 = ✂ 3; ✂ 2 = ✂ 3;

therwise uniform.

2256(2128

1)(2128
2)

possibilities, each equally likely. How secure are these MACs? Standard security b for Wegman-Carter: “Authenticators reveal no information about

✁

Conditional distribution

✁

given (1

1
1), (2
(3
3
3), is unifo

There are 2128 possible

✁

each consistent with unique choice of

✂

✁

✂ 2 = 2

2(

✁ ), ✂

✁

SLIDE 5

Wegman-Carter version: (

✁

✂ 1
✂ 2
✂ 3) is a uniform

random element of

4. 2512 possibilities, each equally likely. Wegman-Carter-Shoup version:

✂ 1 = ✂ 2; ✂ 1 = ✂ 3; ✂ 2 = ✂ 3;

therwise uniform.

2256(2128

1)(2128
2)

possibilities, each equally likely. How secure are these MACs? Standard security bounds for Wegman-Carter: “Authenticators reveal no information about

✁ .”

Conditional distribution of

✁ ,

given (1

1
1), (2
2
2),

(3

3
3), is uniform.

There are 2128 possible

✁ ’s,

each consistent with a unique choice of

✂ 1 = 1

1(

✁ ), ✂ 2 = 2

2(

✁ ), ✂ 3 = 3

3(

✁ ).

SLIDE 6

version:

✁

✂
✂
✂

a uniform

f

4.

ssibilities,

ely. rter-Shoup version:

✂ ✂ ✂ ✂

;

✂ 2 = ✂ 3;

rm.

128
2)

each equally likely. these MACs? Standard security bounds for Wegman-Carter: “Authenticators reveal no information about

✁ .”

Conditional distribution of

✁ ,

given (1

1
1), (2
2
2),

(3

3
3), is uniform.

There are 2128 possible

✁ ’s,

each consistent with a unique choice of

✂ 1 = 1

1(

✁ ), ✂ 2 = 2

2(

✁ ), ✂ 3 = 3

3(

✁ ).

Say attacker attempts (1

) with

= (0) = 0; degree Forgery is successful

=

(

✁ ) + ✂ 1 =

(

✁ ) + 1

✁

✁

is a root of

1 +

1

polynomial of degree

so it has 216 roots. Attempted forgery 216 2128 chance

SLIDE 7

Standard security bounds for Wegman-Carter: “Authenticators reveal no information about

✁ .”

Conditional distribution of

✁ ,

given (1

1
1), (2
2
2),

(3

3
3), is uniform.

There are 2128 possible

✁ ’s,

each consistent with a unique choice of

✂ 1 = 1

1(

✁ ), ✂ 2 = 2

2(

✁ ), ✂ 3 = 3

3(

✁ ).

Say attacker attempts forgery (1

) with

=

1;

(0) = 0; degree 216. Forgery is successful

=

(

✁ ) + ✂ 1 =

(

✁ ) + 1

1(

✁ ) ✁

is a root of

1 +

1

.
1 +

1

is a nonzero

polynomial of degree 216 so it has 216 roots. Attempted forgery has 216 2128 chance of success.

SLIDE 8

y bounds rter: reveal about

✁ .”

distribution of

✁ ,

), (2
2
2),
uniform.
ssible

✁ ’s,

with a

✂ 1 = 1

1(

✁ ), ✂

✁ ),

✂ 3 = 3

3(

✁ ).

Say attacker attempts forgery (1

) with

=

1;

(0) = 0; degree 216. Forgery is successful

=

(

✁ ) + ✂ 1 =

(

✁ ) + 1

1(

✁ ) ✁

is a root of

1 +

1

.
1 +

1

is a nonzero

polynomial of degree 216 so it has 216 roots. Attempted forgery has 216 2128 chance of success. Original security bounds for Wegman-Carter-Shoup: “Authenticators reveal very little information

✁

(1996 Shoup) Stronger security b for Wegman-Carter-Shoup: “Wegman-Carter-Shoup identical to Wegman-Ca (bounds, 2004.10 Bernstein; this proof, 2005.03 Warning: carelessness weaker (“game-pla

SLIDE 9

Say attacker attempts forgery (1

) with

=

1;

(0) = 0; degree 216. Forgery is successful

=

(

✁ ) + ✂ 1 =

(

✁ ) + 1

1(

✁ ) ✁

is a root of

1 +

1

.
1 +

1

is a nonzero

polynomial of degree 216 so it has 216 roots. Attempted forgery has 216 2128 chance of success. Original security bounds for Wegman-Carter-Shoup: “Authenticators reveal very little information about

✁ .”

(1996 Shoup) Stronger security bounds for Wegman-Carter-Shoup: “Wegman-Carter-Shoup is almost identical to Wegman-Carter.” (bounds, 2004.10 Bernstein; this proof, 2005.03 Bernstein) Warning: carelessness leads to weaker (“game-playing”) bounds.

SLIDE 10

attempts forgery

=

1;

degree 216. successful

✁

✂

✁
1(

✁ ) ✁

1 +

1

.
is a nonzero

degree 216 roots. rgery has chance of success. Original security bounds for Wegman-Carter-Shoup: “Authenticators reveal very little information about

✁ .”

(1996 Shoup) Stronger security bounds for Wegman-Carter-Shoup: “Wegman-Carter-Shoup is almost identical to Wegman-Carter.” (bounds, 2004.10 Bernstein; this proof, 2005.03 Bernstein) Warning: carelessness leads to weaker (“game-playing”) bounds. Fix a deterministic generates

1; sees

✁ ✂

generates

2; sees

✁ ✂

generates

3; sees

✁ ✂

generates forgery attempt (

) with
=

✁ ,

(0) = (Generalizations: randomized variable # of chosen arbitrary order of nonces; variable # of forgery

SLIDE 11

Original security bounds for Wegman-Carter-Shoup: “Authenticators reveal very little information about

✁ .”

(1996 Shoup) Stronger security bounds for Wegman-Carter-Shoup: “Wegman-Carter-Shoup is almost identical to Wegman-Carter.” (bounds, 2004.10 Bernstein; this proof, 2005.03 Bernstein) Warning: carelessness leads to weaker (“game-playing”) bounds. Fix a deterministic attack that generates

1; sees 1(

✁ ) + ✂ 1;

generates

2; sees 2(

✁ ) + ✂ 2;

generates

3; sees 3(

✁ ) + ✂ 3;

generates forgery attempt (

) with
1

2 3 ,

=

✁ ,

(0) = 0, deg 216. (Generalizations: randomized ; variable # of chosen messages; arbitrary order of nonces; variable # of forgery attempts.)

SLIDE 12

bounds rter-Shoup: reveal rmation about

✁ .”

bounds rter-Shoup: rter-Shoup is almost egman-Carter.” 2004.10 Bernstein; 2005.03 Bernstein) relessness leads to (“game-playing”) bounds. Fix a deterministic attack that generates

1; sees 1(

✁ ) + ✂ 1;

generates

2; sees 2(

✁ ) + ✂ 2;

generates

3; sees 3(

✁ ) + ✂ 3;

generates forgery attempt (

) with
1

2 3 ,

=

✁ ,

(0) = 0, deg 216. (Generalizations: randomized ; variable # of chosen messages; arbitrary order of nonces; variable # of forgery attempts.) Apply to Wegman-Ca Pr[

=

(

✁ ) + ✂ ✁ ]

Proved this earlier. For each

3:

conditional probabilit that

=

(

✁ ) + ✂ ✁

given that (

✂ 1

✂ 2
✂

Pr[

=

(

✁ ) + ✂ ✁ ]

= Pr[(

✂ 1

✂ 2
✂

= 2

384 ( ).

Thus 2

384 (

SLIDE 13

Fix a deterministic attack that generates

1; sees 1(

✁ ) + ✂ 1;

generates

2; sees 2(

✁ ) + ✂ 2;

generates

3; sees 3(

✁ ) + ✂ 3;

generates forgery attempt (

) with
1

2 3 ,

=

✁ ,

(0) = 0, deg 216. (Generalizations: randomized ; variable # of chosen messages; arbitrary order of nonces; variable # of forgery attempts.) Apply to Wegman-Carter. Pr[

=

(

✁ ) + ✂ ✁ ]

1 2112. Proved this earlier. For each

3: Define

( ) as conditional probability that

=

(

✁ ) + ✂ ✁

given that (

✂ 1

✂ 2
✂ 3) =

. Pr[

=

(

✁ ) + ✂ ✁ ]

= Pr[(

✂ 1

✂ 2
✂ 3) =

] ( ) = 2

384 ( ).

Thus 2

384 ( )

1 2112.

SLIDE 14

deterministic attack that sees

1(

✁ ) + ✂ 1;

sees

2(

✁ ) + ✂ 2;

sees

3(

✁ ) + ✂ 3;

rgery attempt

1

2 3 , ✁

= 0, deg 216. (Generalizations: randomized ; chosen messages;

f nonces;

rgery attempts.) Apply to Wegman-Carter. Pr[

=

(

✁ ) + ✂ ✁ ]

1 2112. Proved this earlier. For each

3: Define

( ) as conditional probability that

=

(

✁ ) + ✂ ✁

given that (

✂ 1

✂ 2
✂ 3) =

. Pr[

=

(

✁ ) + ✂ ✁ ]

= Pr[(

✂ 1

✂ 2
✂ 3) =

] ( ) = 2

384 ( ).

Thus 2

384 ( )

1 2112. Apply to Wegman-Ca Pr[(

✂ 1

✂ 2
✂ 3) =
= 2384 2128(2128
For

3: Conditional

that

=

(

✁ ) + ✂ ✁

(

✂ 1

✂ 2
✂ 3) =

, is so Pr[

=

(

✁ ) + ✂ ✁

2

384

( ) This is the stronger Could take careless use Pr 1 to get w Pr 1 2112 + 3 2

SLIDE 15

Apply to Wegman-Carter. Pr[

=

(

✁ ) + ✂ ✁ ]

1 2112. Proved this earlier. For each

3: Define

( ) as conditional probability that

=

(

✁ ) + ✂ ✁

given that (

✂ 1

✂ 2
✂ 3) =

. Pr[

=

(

✁ ) + ✂ ✁ ]

= Pr[(

✂ 1

✂ 2
✂ 3) =

] ( ) = 2

384 ( ).

Thus 2

384 ( )

1 2112. Apply to Wegman-Carter-Shoup. Pr[(

✂ 1

✂ 2
✂ 3) =

] 2

384

where = 2384 2128(2128

1)(2128
2).

For

3: Conditional probability

that

=

(

✁ ) + ✂ ✁ , given that

(

✂ 1

✂ 2
✂ 3) =

, is the same ( ), so Pr[

=

(

✁ ) + ✂ ✁ ]

2

384

( ) 2112. This is the stronger security bound. Could take careless extra step: use Pr 1 to get weaker bound Pr 1 2112 + 3 2128.

SLIDE 16

egman-Carter.

✁

✂ ✁ ]

1 2112. rlier. : Define ( ) as robability

✁

✂ ✁ ✂

✂
✂ 3) =

.

✁

✂ ✁ ] ✂

✂
✂ 3) =

] ( )

).
( )

1 2112. Apply to Wegman-Carter-Shoup. Pr[(

✂ 1

✂ 2
✂ 3) =

] 2

384

where = 2384 2128(2128

1)(2128
2).

For

3: Conditional probability

that

=

(

✁ ) + ✂ ✁ , given that

(

✂ 1

✂ 2
✂ 3) =

, is the same ( ), so Pr[

=

(

✁ ) + ✂ ✁ ]

2

384

( ) 2112. This is the stronger security bound. Could take careless extra step: use Pr 1 to get weaker bound Pr 1 2112 + 3 2128. Wegman-Carter-Shoup after 240 chosen messages and forgery attempts: Stronger: (2

Careless:

( Original: (2

260 instead of 240:

Stronger: (2

Careless:

( Original: .

SLIDE 17

Apply to Wegman-Carter-Shoup. Pr[(

✂ 1

✂ 2
✂ 3) =

] 2

384

where = 2384 2128(2128

1)(2128
2).

For

3: Conditional probability

that

=

(

✁ ) + ✂ ✁ , given that

(

✂ 1

✂ 2
✂ 3) =

, is the same ( ), so Pr[

=

(

✁ ) + ✂ ✁ ]

2

384

( ) 2112. This is the stronger security bound. Could take careless extra step: use Pr 1 to get weaker bound Pr 1 2112 + 3 2128. Wegman-Carter-Shoup bounds after 240 chosen messages and forgery attempts: Stronger: (2112

263).

Careless: ( 2112) + (1 249). Original: (2112

279).

260 instead of 240: Stronger: (2112

2103).

Careless: ( 2112) + (1 29). Original: .

SLIDE 18

egman-Carter-Shoup.

✂

✂
✂

] 2

384

where

128

1)(2128
2).

Conditional probability

✁

✂ ✁ , given that ✂

✂
✂

is the same ( ),

✁

+

✂ ✁ ]

)

2112. stronger security bound. reless extra step: get weaker bound 2128. Wegman-Carter-Shoup bounds after 240 chosen messages and forgery attempts: Stronger: (2112

263).

Careless: ( 2112) + (1 249). Original: (2112

279).

260 instead of 240: Stronger: (2112

2103).

Careless: ( 2112) + (1 29). Original: . Generalize

( ✁ ) + ✂

(

) + ✂ where

small differential p Pr[ ( )

(

✁

) =

✂

Original bound

✂

for as large as

✂

where is # chosen Proof strategy is do for larger . Stronger bound

✂

for as large as Careless bound

✂

SLIDE 19

Wegman-Carter-Shoup bounds after 240 chosen messages and forgery attempts: Stronger: (2112

263).

Careless: ( 2112) + (1 249). Original: (2112

279).

260 instead of 240: Stronger: (2112

2103).

Careless: ( 2112) + (1 29). Original: . Generalize

( ✁ ) + ✂ to any

(

) + ✂ where

has small differential probabilities: Pr[ ( )

(

✁

) = ]

✂ .

Original bound

✂

for as large as 1

✂ ,

where is # chosen messages. Proof strategy is doomed for larger . Stronger bound

✂

for as large as 2128. Careless bound

✂ +

2 2129.

SLIDE 20

rter-Shoup bounds messages attempts: (2112

263).

2112) + (1 249). (2112

279).

40:

(2112

2103).

2112) + (1 29). . Generalize

( ✁ ) + ✂ to any

(

) + ✂ where

has small differential probabilities: Pr[ ( )

(

✁

) = ]

✂ .

Original bound

✂

for as large as 1

✂ ,

where is # chosen messages. Proof strategy is doomed for larger . Stronger bound

✂

for as large as 2128. Careless bound

✂ +

2 2129.

Wegman-Carter-Shoup implies (

) + AES

✁

if AES is secure. Explicit AES securit AES

(1) AES (2)

✂

✂ ✂

indistinguishable from

✂

✂
✂

✂ ✂

Not true for Wegman-Ca i.e., not true without conditions

✂ 1 = ✂ 2

Wegman-Carter

✂ 1

✂
✂

✂ ✂

✂

✄

ften collide for large

SLIDE 21

Generalize

( ✁ ) + ✂ to any

(

) + ✂ where

has small differential probabilities: Pr[ ( )

(

✁

) = ]

✂ .

Original bound

✂

for as large as 1

✂ ,

where is # chosen messages. Proof strategy is doomed for larger . Stronger bound

✂

for as large as 2128. Careless bound

✂ +

2 2129.

Wegman-Carter-Shoup security implies (

) + AES ( ✁ ) security

if AES is secure. Explicit AES security goal: AES

(1) AES (2)

✂

✂ ✂

indistinguishable from

✂ 1

✂ 2
✂

✂ ✂ .

Not true for Wegman-Carter: i.e., not true without conditions

✂ 1 = ✂ 2 etc.

Wegman-Carter

✂ 1

✂ 2
✂

✂ ✂

✂

✄

ften collide for large

.

SLIDE 22

✁ ) +

✂ to any

✂

where

has differential probabilities:

✁

) = ]

✂ . ✂

1

✂ ,

chosen messages. doomed

✂

2128.

✂ +

2 2129.

Wegman-Carter-Shoup security implies (

) + AES ( ✁ ) security

if AES is secure. Explicit AES security goal: AES

(1) AES (2)

✂

✂ ✂

indistinguishable from

✂ 1

✂ 2
✂

✂ ✂ .

Not true for Wegman-Carter: i.e., not true without conditions

✂ 1 = ✂ 2 etc.

Wegman-Carter

✂ 1

✂ 2
✂

✂ ✂

✂

✄

ften collide for large

. MAC speed leader: http://cr.yp.to/mac.html Poly1305-AES bound

✂

is

✂✁

16

✄

2103 for

✁ -byte messages.

e.g.,

✂

2

92 for ✁

Security gap compa 1

✂ 7

292 if With old security b was limited to ab

SLIDE 23

Wegman-Carter-Shoup security implies (

) + AES ( ✁ ) security

if AES is secure. Explicit AES security goal: AES

(1) AES (2)

✂

✂ ✂

indistinguishable from

✂ 1

✂ 2
✂

✂ ✂ .

Not true for Wegman-Carter: i.e., not true without conditions

✂ 1 = ✂ 2 etc.

Wegman-Carter

✂ 1

✂ 2
✂

✂ ✂

✂

✄

ften collide for large

. MAC speed leader: Poly1305-AES, http://cr.yp.to/mac.html. Poly1305-AES bound on

✂

is

✂✁

16

✄

2103 for

✁ -byte messages.

e.g.,

✂

2

92 for ✁ = 2048.

Security gap compared to AES 1

✂ 7

292 if 264. With old security bound, was limited to about 246.

SLIDE 24

rter-Shoup security

AES

( ✁ ) security

security goal:

(2)
✂

✂ ✂

from

✂ 1

✂ 2
✂

✂ ✂ .

egman-Carter: without

✂ ✂ 2 etc. ✂ 1

✂ 2
✂

✂ ✂

✂

✄

large . MAC speed leader: Poly1305-AES, http://cr.yp.to/mac.html. Poly1305-AES bound on

✂

is

✂✁

16

✄

2103 for

✁ -byte messages.

e.g.,

✂

2

92 for ✁ = 2048.

Security gap compared to AES 1

✂ 7

292 if 264. With old security bound, was limited to about 246. Improved security b apply far beyond the “Stronger security permutations”: http://cr.yp.to /papers.html#permutations Stronger than “game-pla Another application: is provably stronger /papers.html#countermode coming soon.

SLIDE 25

MAC speed leader: Poly1305-AES, http://cr.yp.to/mac.html. Poly1305-AES bound on

✂

is

✂✁

16

✄

2103 for

✁ -byte messages.

e.g.,

✂

2

92 for ✁ = 2048.

Security gap compared to AES 1

✂ 7

292 if 264. With old security bound, was limited to about 246. Improved security bounds apply far beyond the MAC context. “Stronger security bounds for permutations”: http://cr.yp.to /papers.html#permutations Stronger than “game-playing.” Another application: Counter mode is provably stronger than CBC. /papers.html#countermode, coming soon.

SLIDE 26

leader: Poly1305-AES, http://cr.yp.to/mac.html.

und on

✂ ✂✁ ✄ ✁

messages.

✂

r

✁ = 2048.

compared to AES

✂

264. y bound, about 246. Improved security bounds apply far beyond the MAC context. “Stronger security bounds for permutations”: http://cr.yp.to /papers.html#permutations Stronger than “game-playing.” Another application: Counter mode is provably stronger than CBC. /papers.html#countermode, coming soon. AES security problems 16-byte block invertibilit Partly fixed in this but still annoying. AES security problems secret-index table lo “Not vulnerable to was wrong. Very ha without extreme slo /papers.html#cachetiming Many fast stream ciphers don’t have these p Do we want to keep

SLIDE 27

Improved security bounds apply far beyond the MAC context. “Stronger security bounds for permutations”: http://cr.yp.to /papers.html#permutations Stronger than “game-playing.” Another application: Counter mode is provably stronger than CBC. /papers.html#countermode, coming soon. AES security problems from 16-byte block invertibility: Partly fixed in this talk, but still annoying. AES security problems from secret-index table lookups: “Not vulnerable to timing attacks” was wrong. Very hard to fix without extreme slowdowns. /papers.html#cachetiming Many fast stream ciphers don’t have these problems. Do we want to keep AES?