the limited power of verification queries in message
play

The Limited Power of Verification Queries in Message Authentication - PowerPoint PPT Presentation

Jul 17, 2023 •8 likes •428 views

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15 Modes of Operation p E K F K E K 2 / 15 Modes of Operation p E K F K

  1. The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15

  2. Modes of Operation p � E K F K E K 2 / 15

  3. Modes of Operation p � E K F K E K Example: Deoxys AES-OTR ASCON OMD 2 / 15

  4. Modes of Operation p � E K F K E K Example: Deoxys AES-OTR ASCON OMD Advantage of modes: able to focus on primitive 1 Reduce security of AE scheme to that of underlying primitive 2 For AE this is done for confidentiality and authenticity 2 / 15

  5. Reduction Loss 1 Reduction is often not perfect, results in a loss of security 2 Loss of security quantified in terms of parameters Table: Examples of parameters. Block size n q Number of tagging or encryption queries k Key length Maximum message length ℓ σ Total number of encryption and decryption blocks 3 / 15

  6. Various AE Bounds p � E K f E K Example: Deoxys AES-OTR ASCON OMD 4 / 15

  7. Various AE Bounds p � E K f E K Example: Deoxys AES-OTR ASCON OMD σ 2 σ 2 σ 2 Confidentiality: 2 n + ( S ) PRP 0 2 n + PRF 2 n 4 / 15

  8. Various AE Bounds p � E K f E K Example: Deoxys AES-OTR ASCON OMD σ 2 σ 2 σ 2 Confidentiality: 2 n + ( S ) PRP 0 2 n + PRF 2 n + v + v + v + v Authenticity: 2 n 2 n 2 n 2 n 4 / 15

  9. Improved Bounds: MAC Message Length Much research performed reducing message length dependence from quadratic to linear for MACs: PMAC, CBC-MAC, EMAC, OMAC, TMAC ℓ 2 q 2 → ℓq 2 − 2 n 2 n 5 / 15

  10. Improved Bounds: MAC Message Length Much research performed reducing message length dependence from quadratic to linear for MACs: PMAC, CBC-MAC, EMAC, OMAC, TMAC ℓ 2 q 2 → ℓq 2 − 2 n 2 n n = 128 , q = 2 48 : ℓ ≤ 2 15 − → ℓ ≤ 2 30 5 / 15

  11. Improved Bounds: MAC Message Length Much research performed reducing message length dependence from quadratic to linear for MACs: PMAC, CBC-MAC, EMAC, OMAC, TMAC ℓ 2 q 2 → ℓq 2 − 2 n 2 n n = 128 , q = 2 48 : ℓ ≤ 2 15 − → ℓ ≤ 2 30 n = 128 , ℓ = 2 15 : q ≤ 2 48 − → q ≤ 2 63 5 / 15

  12. Improved Bounds: Permutation Based Modes c n k security 192 128 96 96 Ascon 256 64 128 128 254 1026 128 128 ICEPOLE 318 962 256 256 192 320 128 128 NORX 384 640 256 256 159 41 80 80 GIBBON/ HANUMAN 239 41 120 120 6 / 15

  13. Improved Bounds: Permutation Based Modes c n k security 96 224 96 96 Ascon 128 192 128 128 254 1026 128 128 ICEPOLE 318 962 256 256 192 320 128 128 NORX 384 640 256 256 159 41 80 80 GIBBON/ HANUMAN 239 41 120 120 6 / 15

  14. Improved Bounds: Permutation Based Modes n security c n k n old 96 224 1.75 96 96 Ascon 128 192 3 128 128 254 1026 128 128 ICEPOLE 318 962 256 256 192 320 128 128 NORX 384 640 256 256 159 41 80 80 GIBBON/ HANUMAN 239 41 120 120 6 / 15

  15. Improved Bounds: Permutation Based Modes n security c n k n old 96 224 1.75 96 96 Ascon 128 192 3 128 128 128 1152 1.12 128 128 ICEPOLE 256 1024 1.06 256 256 128 384 1.2 128 128 NORX 256 768 1.2 256 256 80 120 2.92 80 80 GIBBON/ HANUMAN 120 160 3.90 120 120 6 / 15

  16. Improved security bounds leads to 1 Better parameter choices 2 Increased longevity 3 Increased efficiency 7 / 15

  17. Improved security bounds leads to 1 Better parameter choices 2 Increased longevity 3 Increased efficiency Despite advances, there is still a lot of work left. 7 / 15

  18. Authenticity Definition M M T Verify Tag T M ⊥ Auth ( q, v ) : forgery success with q tagging queries and v forgery attempts 8 / 15

  19. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 9 / 15

  20. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 1 128 bit block cipher ℓ 2 ( q + v ) 2 2 128 9 / 15

  21. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 1 128 bit block cipher 2 Only one-block verification queries 1 2 (0 + v ) 2 2 128 9 / 15

  22. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 1 128 bit block cipher 2 Only one-block verification queries v 2 2 128 9 / 15

  23. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 1 128 bit block cipher 2 Only one-block verification queries v 2 v vs 2 128 2 128 9 / 15

  24. Authenticity Bounds σ 2 → ℓ 2 ( q + v ) 2 2 n − 2 n 1 128 bit block cipher 2 Only one-block verification queries v 2 v vs 2 128 2 128 1 v = 2 64 : 1 vs 2 64 9 / 15

  25. Optimal Bound So far only certain types of MACs have optimal bound: 1 Nonce-based 2 Multiple keys Excludes PMAC, CBC-MAC, OMAC 10 / 15

  26. Optimal Bound So far only certain types of MACs have optimal bound: 1 Nonce-based 2 Multiple keys Excludes PMAC, CBC-MAC, OMAC For AE 1 except for TBC modes, none with optimal bounds 2 Generic composition: reduction to MAC-security → need optimal MACs 10 / 15

  27. Question Why do well-designed schemes exhibit quadratic dependence? 11 / 15

  28. Question Why do well-designed schemes exhibit quadratic dependence? Proof techniques 11 / 15

  29. PRF-based MAC M T PRF Y 12 / 15

  30. PRF-based MAC M T PRF ? Y = M ⊥ 12 / 15

  31. Generic Reduction Best possible generic reduction: Auth ( q, v ) 13 / 15

  32. Generic Reduction Best possible generic reduction: v Auth ( q, v ) ≤ 2 τ + PRF ( q + v ) 13 / 15

  33. Generic Reduction Best possible generic reduction: v Auth ( q, v ) ≤ 2 τ + PRF ( q + v ) � � q 2 + v 2 PRF ( q + v ) ∈ Ω 2 s 13 / 15

  34. Generic Reduction Best possible generic reduction: v Auth ( q, v ) ≤ 2 τ + PRF ( q + v ) � � q 2 + v 2 PRF ( q + v ) ∈ Ω 2 s PMAC 2 τ + c · ℓ ( q + v ) 2 v 2 n 13 / 15

  35. PRP-PRF Switch PRP-PRF Switch: 0 . 5 σ 2 2 n 14 / 15

  36. PRP-PRF Switch PRP-PRF Switch: 0 . 5 σ 2 2 n GCM with nonce length fixed to 96 bits 14 / 15

  37. PRP-PRF Switch PRP-PRF Switch: 0 . 5 σ 2 2 n GCM with nonce length fixed to 96 bits Confidentiality: 0 . 5( σ + q + 1) 2 2 n � �� � PRP-PRF switch 14 / 15

  38. PRP-PRF Switch PRP-PRF Switch: 0 . 5 σ 2 2 n GCM with nonce length fixed to 96 bits Confidentiality: 0 . 5( σ + q + 1) 2 2 n � �� � PRP-PRF switch Authenticity: 0 . 5( σ + q + v + 1) 2 + v ( ℓ + 1) 2 n 2 τ � �� � PRP-PRF switch 14 / 15

  39. Summary 1 Better security bounds improve longevity and efficiency of schemes 15 / 15

  40. Summary 1 Better security bounds improve longevity and efficiency of schemes 2 Many schemes exhibit a quadratic dependence on verification queries 15 / 15

  41. Summary 1 Better security bounds improve longevity and efficiency of schemes 2 Many schemes exhibit a quadratic dependence on verification queries Conjecture: All CAESAR modes provably achieve the optimal bound. 15 / 15

  42. Summary 1 Better security bounds improve longevity and efficiency of schemes 2 Many schemes exhibit a quadratic dependence on verification queries Conjecture: All CAESAR modes provably achieve the optimal bound. Paper in the works 1 Generalizing known techniques, applied to GCM to recover bound 2 Analyze block cipher based modes in detail, applied to PMAC to recover bound 15 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging & verification

Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging & verification

Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging & verification of database queries Chenglong Wang , Alvin Cheung, Ras Bodik University of Washington 1 Relational Queries The language between human and

427 views • 41 slides
Queries in PSM The following rules apply to the use of queries: CS 235: 1. Queries

Queries in PSM The following rules apply to the use of queries: CS 235: 1. Queries

Queries in PSM The following rules apply to the use of queries: CS 235: 1. Queries returning a single value can be Introduction to Databases used in assignments 2. Queries returning a single tuple can be used Svetlozar Nestorov with

530 views • 4 slides
FMCSA Drug & Alcohol Clearinghouse Agenda 1. What is it? 7. Limited Consent Form 2. Roles

FMCSA Drug & Alcohol Clearinghouse Agenda 1. What is it? 7. Limited Consent Form 2. Roles

FMCSA Drug & Alcohol Clearinghouse Agenda 1. What is it? 7. Limited Consent Form 2. Roles & Users 8. Conduct Limited & Full Queries 3. Cost & Penalties 9. Viewing Queries / Searching 4. Safety of Data 10. Pre-Employment

437 views • 30 slides
A Static Verification Framework for Message Passing in Go using Behavioural Types Julien Lange 1 ,

A Static Verification Framework for Message Passing in Go using Behavioural Types Julien Lange 1 ,

A Static Verification Framework for Message Passing in Go using Behavioural Types Julien Lange 1 , Nicholas Ng 2 , Bernardo Toninho 3 , Nobuko Yoshida 2 1 University of Kent 2 Imperial College London 3 Universidade Nova de Lisboa 1 /26 Julien

506 views • 47 slides
PACIFIC ENERGY LIMITED POWER GENERATION INVESTOR PRESENTATION August 2014 ASX: PEA Power

PACIFIC ENERGY LIMITED POWER GENERATION INVESTOR PRESENTATION August 2014 ASX: PEA Power

PACIFIC ENERGY LIMITED POWER GENERATION INVESTOR PRESENTATION August 2014 ASX: PEA Power Station Developer & Owner approx 216MW Pacific Energy Limited (ASX: PEA) Kalgoorlie Power Systems (KPS) Hydro 210MW 6MW Power station

489 views • 14 slides
Pacific Energy Limited Power Generation Macquarie Australia Conference May 2013 ASX: PEA Power

Pacific Energy Limited Power Generation Macquarie Australia Conference May 2013 ASX: PEA Power

Pacific Energy Limited Power Generation Macquarie Australia Conference May 2013 ASX: PEA Power Station Developer & Owner approx 250MW Pacific Energy Limited (ASX: PEA) Kalgoorlie Power Systems (KPS) Hydro 240MW 6MW Power station

413 views • 19 slides
Adani Power Limited Power Business Goal - 20,000 MW ADANI POWER AT A GLANCE Power Business

Adani Power Limited Power Business Goal - 20,000 MW ADANI POWER AT A GLANCE Power Business

Adani Power Limited Power Business Goal - 20,000 MW ADANI POWER AT A GLANCE Power Business Goal - 20,000 MW BY 2020 MUNDRA 330MW X 4 + 660MW X 5 TIRODA 660MW X 5 (UNDER COMMISSIONING) KAWAI 660MW X 2 (UNDER ERECTION)

1k views • 43 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
` The Tata Power Company Limited Presentation Title ( Arial, Font size 28 ) Investor Presentation

` The Tata Power Company Limited Presentation Title ( Arial, Font size 28 ) Investor Presentation

` The Tata Power Company Limited Presentation Title ( Arial, Font size 28 ) Investor Presentation Date, Venue, etc ..( Arial, Font size 18 ) Feb 2019 Message Box ( Arial, Font size 18 Bold) Disclaimer This document does not constitute or

1.03k views • 62 slides
XP Power Limited - 2007 Results XP Power Highlights Gross margin improves by 5.1% to 42.2%

XP Power Limited - 2007 Results XP Power Highlights Gross margin improves by 5.1% to 42.2%

XP Power Limited - 2007 Results XP Power Highlights Gross margin improves by 5.1% to 42.2% (2006: 37.1%) resulting from an increased amount of XP Power intellectual property Own brand sales now represent 73% of revenues (2006:66%)

499 views • 17 slides
Improving Adolescent Immunization Rates: The Power of the Provider Message Thursday, 4/ 7/ 16

Improving Adolescent Immunization Rates: The Power of the Provider Message Thursday, 4/ 7/ 16

Improving Adolescent Immunization Rates: The Power of the Provider Message Thursday, 4/ 7/ 16 2016-2017 S BHC Performance Measures Webinar Training S eries Disclosure Statement: No financial relationships to disclose Speaker: Sean

197 views • 7 slides
Microsoft Power BI Microsoft Power BI Whole Business On One Dashboard Interactive Visualization

Microsoft Power BI Microsoft Power BI Whole Business On One Dashboard Interactive Visualization

Microsoft Power BI Microsoft Power BI Whole Business On One Dashboard Interactive Visualization Natural Language Queries Turning Data Into Business Advantage Microsoft Power BI 45.000 Organizations 500.000 Unique users 185 Countries

135 views • 13 slides
Jhajjar Power Limited Only power station in Delhi NCR complying with all environment norms 1

Jhajjar Power Limited Only power station in Delhi NCR complying with all environment norms 1

Hands-on approach, knowledge and best practices in addressing environmental norms at Jhajjar Power Limited Only power station in Delhi NCR complying with all environment norms 1 About CLP Group Head-quartered in Hong Kong Total Generation

875 views • 26 slides
Module 14: Analyzing Queries Overview Queries That Use the AND Operator the OR

Module 14: Analyzing Queries Overview Queries That Use the AND Operator the OR

Module 14: Analyzing Queries Overview Queries That Use the AND Operator the OR Operator Join Operations Queries That Use the AND Operator Processing the AND Operator Returns rows that meet all conditions for every

231 views • 12 slides
More Realistic Power Grid Verification Based on Hierarchical Current and Power constraints 2

More Realistic Power Grid Verification Based on Hierarchical Current and Power constraints 2

More Realistic Power Grid Verification Based on Hierarchical Current and Power constraints 2 Chung-Kuan Cheng, 2 Peng Du, 2 Andrew B. Kahng, 1 Grantham K. H. Pang, 1 Yuanzhe Wang, 1 Ngai Wong Grantham K. H. Pang, Yuanzhe Wang, Ngai Wong 1.

489 views • 30 slides
New Requirements Top-N/Bottom-N queries Interactive queries Decision making

New Requirements Top-N/Bottom-N queries Interactive queries Decision making

Lecture 13 Lecture 13 Advanced Query Processing CS5208 Advanced QP 1 New Requirements Top-N/Bottom-N queries Interactive queries Decision making queries Tolerant of errors approximate answers acceptable

675 views • 25 slides
Bootable Cluster CD Supercomputing 2011 Ivan Babic Andrew Fitz Gibbon Mobeen Ludin Earlham

Bootable Cluster CD Supercomputing 2011 Ivan Babic Andrew Fitz Gibbon Mobeen Ludin Earlham

Bootable Cluster CD Supercomputing 2011 Ivan Babic Andrew Fitz Gibbon Mobeen Ludin Earlham College Shodor Foundation Earlham College ibabic09 at cs.earlham.edu fitz at cs.earlham.edu mmludin08 at cs.earlham.edu Tom Murphy Charlie Peck

487 views • 17 slides
Enabling Phylogenetic Research via the CIPRES Science Gateway Wayne Pfeiffer SDSC/UCSD

Enabling Phylogenetic Research via the CIPRES Science Gateway Wayne Pfeiffer SDSC/UCSD

Enabling Phylogenetic Research via the CIPRES Science Gateway Wayne Pfeiffer SDSC/UCSD August 5, 2013 In collaboration with Mark A. Miller, Terri Schwartz, & Bryan Lunt SDSC/UCSD Supported by NSF

238 views • 19 slides
Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world Cristian Canton

Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world Cristian Canton

Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world Cristian Canton Ferrer Research Manager (AI Red Team @ Facebook) Abuses and misuses of AI: prevention vs reaction Red Teaming in the AI world ...with Manipulated

983 views • 79 slides
Navigating Phylogenetic Trees using Graphing Algorithms Giorlando Ramirez So...Whats the

Navigating Phylogenetic Trees using Graphing Algorithms Giorlando Ramirez So...Whats the

Navigating Phylogenetic Trees using Graphing Algorithms Giorlando Ramirez So...Whats the problem? -Phylogenetic trees can be huge, and calculating the distance in between species that are far away from each other in the tree can be

191 views • 7 slides
Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API,

Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API,

Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API, High-Speed ImplementaCons in VHDL/Verilog, and Benchmarking Using FPGAs Ekawat Homsirikamol, William Diehl, Ahmed Ferozpuri, Farnoud Farahmand, Michael

908 views • 53 slides
E B y M ichael T. G iBBons ngineering bachelors degrees remained virtually which have not

E B y M ichael T. G iBBons ngineering bachelors degrees remained virtually which have not

E nginEEring by thE n umbErs E B y M ichael T. G iBBons ngineering bachelors degrees remained virtually which have not abated since the mid-1990s. unchanged since last year, edging slightly Foreign nationals received a higher proportion

806 views • 36 slides
2 c/ 2 rt s

2 c/ 2 rt s

2 c/ 2 rt s ttt rt s P 1 t 2

516 views • 49 slides
Monge-Ampre Geometry and the Navier-Stokes Equations Ian Roulstone University of Surrey Joint

Monge-Ampre Geometry and the Navier-Stokes Equations Ian Roulstone University of Surrey Joint

Monge-Ampre Geometry and the Navier-Stokes Equations Ian Roulstone University of Surrey Joint with Bertrand Banos and Volodya Roubtsov ( J Phys A 2016), and more recent work with Martin Wolf and Jock McOrist (Surrey) New Trends in Applied

527 views • 36 slides

More recommend