The Memory-Tightness of Authenticated Encryption Stefano Tessaro - - PowerPoint PPT Presentation

The Memory-Tightness of Authenticated Encryption

Ashrujit Ghoshal

Stefano Tessaro

CRYPTO 2020

Joseph Jaeger

University of Washington

Concrete security theorems: 𝐁𝐞𝐰 resources ≤ 𝜗 resources

𝐁𝐞𝐰 1 Traditionally: time 𝑢, data complexity/queries 𝑟 𝐁𝐞𝐰 𝑢, 𝑟 ≤ 𝜗 This work: time 𝑢, data complexity/queries 𝑟, memory 𝑇 𝐁𝐞𝐰 𝑢, 𝑟, 𝑇 ≤ 𝜗

This work: Time-memory tradeoffs for (nonce-based) authenticated encryption (AE)

Time-memory tradeoffs for symmetric encryption [TT18, JT19, Dinur20, SS20]

Prior work

F

• c

u s : c

• n

f i d e n t i a l i t y

Tl;dr:

Memory-tight reductions [ACFK17, WMHT18, GT20, Bhattacharya20]

F

• c

u s : p u b l i c

• k

e y c r y p t

• Positive results

Negative results

Nonce-based encryption

NE=(NE.Kg, NE.Enc, NE.Dec)

NE.Kg 𝐿

Security holds only if encryption under distinct nonces

𝐿 NE.Enc 𝑂 𝑁 𝐷 NE.Dec 𝐿 𝑂 𝐷 𝑁/⊥

Long line of work on concrete security of nonce-based AE

[BR00, RBBK01, R02, RS06 …]

Can we extend them to consider memory?

Example: NE.Enc(𝐿, 𝑂, 𝑁) = E0 𝑂 ⊕ 𝑁

• Theorem. [JT19 + Dinur20]

Ad AdvNE indr 𝑢, 𝑟, 𝑇 ≤ 𝑇 ⋅ 𝑟 log 𝑟 2! + Ad AdvE prp 𝑢, 𝑟, 𝑇

indr = indistinguishability from random ciphertexts

E = 𝑜-bit block cipher

𝑢 = time, 𝑟 = # encryptions, 𝑇 = memory

𝑇 𝑟 secure insecure

Goal: similar results for AE security? (like GCM [MV04])

e.g. beyond-birthday security for 𝑇 < 2

! "

• Theorem. Ad

AdvNE ae 𝑢, 𝑟 ≤ Ad AdvNE indr 𝑢, 𝑟 + Ad AdvNE ctxt 𝑢, 𝑟

indistinguishability from random ciphertexts ciphertext integrity

Target: combined AE security notion (confidentiality + integrity) Usual proof approach: INDR + CTXT ⇒ AE

• Theorem. Ad

AdvNE ae 𝑢, 𝑟, 𝑇 ≤ Ad AdvNE indr 𝑢, 𝑟, 𝑇" + Ad AdvNE ctxt 𝑢, 𝑟, 𝑇# Wanted: memory-tight reduction [ACFK17] 𝑇" = 𝑇# = 𝑇

Unclear! Known reduction is not memory-tight!

𝐿 ←

$ NE.Kg

• Proc. ENC1(𝑂, 𝑁)

𝐷 ← NE.Enc(𝐿, 𝑂, 𝑁) Return 𝐷

• Proc. DEC1(𝑂, 𝐷)

Return NE.Dec(𝐿, 𝑂, 𝐷)

• Proc. DEC0(𝑂, 𝐷)

Return L 𝑂, 𝐷

• Proc. ENC1(𝑂, 𝑁)

𝐷 ← NE.Enc(𝐿, 𝑂, 𝑁) L 𝑂, 𝐷 ← 𝑁 Return 𝐷

• Proc. DEC0(𝑂, 𝐷)

Return L 𝑂, 𝐷

NE=(NE.Kg, NE.Enc, NE.Dec) Ad AdvNE ctxt(𝑢, 𝑟, 𝑇) 👎 Ad AdvNE indr 𝑢, 𝑟, 𝑇 + 𝑃(𝑟) 👏

𝐿 ←

$ NE.Kg

• Proc. ENC0(𝑂, 𝑁)

𝐷 ← L 𝑂, 𝐷 ← 𝑁 Return 𝐷

Ad AdvNE ae 𝑢, 𝑟, 𝑇 ?

• Proc. DEC0(𝑂, 𝐷)

Return L 𝑂, 𝐷

• Proc. ENC1(𝑂, 𝑁)

𝐷 ← NE.Enc(𝐿, 𝑂, 𝑁) L 𝑂, 𝐷 ← 𝑁 Return 𝐷

• Proc. DEC0(𝑂, 𝐷)

Return L 𝑂, 𝐷

• Proc. ENC0(𝑂, 𝑁)

𝐷 ← L 𝑂, 𝐷 ← 𝑁 Return 𝐷

• Proc. ENC1(𝑂, 𝑁)

𝐷 ← NE.Enc(𝐿, 𝑂, 𝑁) Return 𝐷

• Proc. ENC0(𝑂, 𝑁)

𝐷 ← Return 𝐷

indr security Requires memory proportional to #

• f queries!

Our results, in a nutshell

• 1. Memory-tight reduction and time-memory trade-
• ffs in the channel setting
• Typical usage within protocols like TLS
• New technique: memory-adaptive reduction
• 2. Impossibility result for general memory-tight

reduction INDR + CTXT ⇒ AE!

Channel setting: motivation

• implicit nonces = counter

ENC 𝐿, 0, 𝑁$ , ENC 𝐿, 1, 𝑁" , ⋯

• receiver aborts upon the first decryption failure
• in-order delivery

Channel setting captures this AE often used to establish a secure communication channel, as in TLS

The channel setting

CH.Sg 𝜏% 𝜏& 𝑁 CH.S 𝐷 𝜏% CH.R 𝐷′ 𝑁′/⊥ 𝜏& CH=(CH.Sg, CH.S, CH.R)

The channel setting: correctness

CH.Sg 𝜏% 𝜏& 𝑁" CH.S 𝐷" 𝜏% CH.S 𝑁# 𝐷# 𝜏% CH.S 𝑁' 𝐷' 𝜏% CH.R 𝐷" 𝑁" 𝜏& CH.R 𝐷# 𝑁# 𝜏& CH.R 𝐷' 𝑁' 𝜏& CH=(CH.Sg, CH.S, CH.R)

The channel setting: security

CH.Sg 𝜏% 𝜏& 𝑁" CH.S 𝐷" 𝜏% CH.S 𝑁# 𝐷# 𝜏% CH.S 𝑁' 𝐷' 𝜏% CH.R 𝐷" 𝑁" 𝜏& CH.R 𝐷' 𝜏& CH.R 𝐷# ⊥ 𝜏& CH=(CH.Sg, CH.S, CH.R) ⊥

(𝜏", 𝜏#) ←

$ CH.Sg

• Proc. ENC1(𝑁)

(𝜏", 𝐷) ← CH.S(𝜏", 𝑁) Return 𝐷

• Proc. DEC1(𝐷)

(𝜏#, 𝑁) ← CH.R(𝜏#, 𝐷) Return 𝑁

CH=(CH.Sg, CH.S, CH.R)

AE security for channels

• Proc. DEC0(𝐷)

(𝑁$, 𝐷$) ← Dequeue() If sync then If 𝐷 = 𝐷$ then return 𝑁′ sync ← false Return ⊥

• Proc. ENC0(𝑁)

𝐷 ← Enqueue(𝑁, 𝐷) Return 𝐷 sync ← true Ad AdvNE ch−ae 𝑢, 𝑟, 𝑇

Main theorem

• Theorem. [this work] ∀ 𝜇 ∈ ℕ

Ad AdvCH ch%ae 𝑢, 𝑟, 𝑇 ≤ Ad AdvCH ch%ctxt 𝑢, 𝑟, 𝑇 + 2 ⋅ Ad AdvCH ch%indr 𝑢, 𝑟, 3𝑇 + 𝑃(log𝑟 + 𝜇) + 1 2&

Memory-tight!

ae security for channels indistinguishability from random ciphertexts for channels ciphertext integrity for channels

New technique: Memory-adaptive reduction

DEC1

Ad AdvCH ch(ctxt(𝑢, 𝑟, 𝑇) easy 2 ⋅ Ad AdvCH ch(indr 𝑢, 𝑟, 3𝑇 + 𝑃 log 𝑟 + 𝜇 + 1 2) next up!

ENC1 DEC0 ENC0 ENC1 DEC0

(𝑁!, 𝐷!)

Issue: size of queue grows with the number of queries

(𝑁", 𝐷") (𝑁#, 𝐷#)

ENC*(𝑁"), ENC* 𝑁# , ENC* 𝑁' 𝐷", 𝐷#, 𝐷' Queue 𝑐 ←

$ {0,1}

DEC$ 𝐷" 𝑁"

Key idea: bounding queue size does not change behavior DEC$ 𝐷" , DEC$ 𝐷# , DEC$(𝐷') Adversary had to remember 𝐷", 𝐷#, 𝐷' to cause this! Example: only store ≤ 2 pairs

(𝑁!, 𝐷!) (𝑁", 𝐷")

ENC*(𝑁"), ENC* 𝑁# , ENC* 𝑁' 𝐷", 𝐷#, 𝐷' Queue 𝑐 ←

$ {0,1}

𝑁", 𝑁#, ⊥ Bound queue size to Δ = 2𝑇 + log 𝑟 + 𝜇 bits

Information-theoretic game

𝐵" 𝐵# 𝑆 ←

$ 0,1 ,

(𝑗, 𝜏) 𝑗 ≤ 𝑀 − Δ 𝜏 ≤ 𝑇 𝑀, Δ ∈ ℕ, Δ ≤ 𝑀

• Lemma. If Δ = 2𝑇 + 𝑃 log 𝑀 + 𝜇 then

Pr[ 𝐵", 𝐵# wins] ≤ 1 2) =

?

𝑗 Δ Δ

Application to GCM

CAU [BT16] : an abstraction of GCM

• ne of the most widely

deployed encryption schemes encryption scheme from block cipher 𝐹 and hash function 𝐼

• Theorem. [this work]

Ad AdvNCH ch]ae 𝑢, 𝑟, 𝑇 ≤ 4 ⋅ Ad AdvE prp 𝑢, 𝑃 𝑟 , 𝑃(𝑇) + 𝑃 𝑇𝑟 log 𝑟 2^ channel induced by CAU

𝑜-bit block cipher AXU

Our results, in a nutshell

• 1. Memory-tight reduction and time-memory trade-
• ffs in the channel setting
• Typical usage within protocols like TLS
• New technique: memory-adaptive reduction
• 2. Impossibility result for general memory-tight

reduction INDR + CTXT ⇒ AE!

Negative result for the general setting

• Impossibility result for proving INDR+CTXT⇒AE in a

memory-tight way for nonce-based encryption schemes

• Similar spirit as prior work [ACFK17,WMHT18,GT20]
• Also rules out memory-adaptive reductions (like the one

for channels)

• Evidence that some restriction necessary for memory-

tight reduction

Our result

• Theorem. [this work] ∀ INDR+CTXT-secure NE ∃ AE

adversary 𝐵∗ making 𝑟 queries, using memory 𝑃(log 𝑟) s.t. 1) 1) Ad AdvNE ae 𝐵∗ ≈ 1 2) ∀ “efficient” black-box reductions 𝑆 using additional memory 𝑇 = 𝑝 𝑟 then Ad AdvNE indr 𝑆[𝐵∗] = negl 3) ∀ “efficient” black-box reductions 𝑆′ Ad AdvNE ctxt 𝑆′[𝐵∗] = negl

inefficient

Our result

• Theorem. [this work] ∀ INDR+CTXT-secure NE ∃ AE

adversary 𝐵∗ making 𝑟 queries, using memory 𝑃(log 𝑟) s.t. 1) 1) Ad AdvNE ae 𝐵∗ ≈ 1 2) ∀ “efficient” restricted black-box reductions 𝑆 using additional memory 𝑇 = 𝑝 𝑟 then Ad AdvNE indr 𝑆[𝐵∗] = negl 3) ∀ “efficient” restricted black-box reductions 𝑆′ Ad AdvNE ctxt 𝑆′[𝐵∗] = negl

Restricted black-box reduction

1. faithful

• 2. nonce-respecting 𝐵∗ ⇒ nonce-respecting 𝑆
• 3. straightline or fully-rewinding

ENC'(𝑂, 𝑁)

𝐵∗ 𝑆 ENC`

ENC'(𝑂, 𝑁) 𝐷 𝐷

⋮

The adversary 𝐵∗: basic idea

• In round 𝑗 = 1, ⋯ , 𝑠
• Encrypt random 𝑁(, 𝑁), ⋯ , 𝑁* ←

$ 0,1 ℓ

𝐷

, ← ENC'( 𝑗, 𝑘 , 𝑁 ,)

• Sample 𝑘∗ ←

$ [𝑣]

𝑁 ← DEC'( 𝑗, 𝑘∗ , 𝐷,∗)

• If 𝑁,∗ ≠ 𝑁 then ABORT
• All rounds succeed ⟹ Inefficiently break the scheme

Intuition: reduction w/ memory 𝑙 ⋅ ℓ bits succeeds in each round w/ probability ≤ .

*

Conclusions

• Memory-sensitive bounds for the AE security of

channels

Time-memory tradeoffs for the AE security of a TLS like channel instantiated with GCM

• New technique: Memory-adaptive reductions
• Impossibility for full AE security

Evidence that restricting AE security to specific settings is inherent for memory-tight reductions

Open problems

• Memory-sensitive bounds for other practical examples
• f channels?
• More applications of memory-adaptive reductions?

Paper: https://eprint.iacr.org/2020/785