trick or tweak
play

Trick or Tweak On the (In)security of OTRs Tweaks Raphael Bost 1 , 2 - PowerPoint PPT Presentation

Oct 19, 2023 •216 likes •574 views

Trick or Tweak On the (In)security of OTRs Tweaks Raphael Bost 1 , 2 Olivier Sanders 3 1 Direction Gnrale de lArmement - Matrise de lInformation 2 Universit de Rennes 1 3 Orange Labs Asiacrypt 2016, Hanoi Raphael Bost, Olivier

  1. Trick or Tweak On the (In)security of OTR’s Tweaks Raphael Bost 1 , 2 Olivier Sanders 3 1 Direction Générale de l’Armement - Maîtrise de l’Information 2 Université de Rennes 1 3 Orange Labs Asiacrypt 2016, Hanoi Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 1 / 22

  2. Offset Two Rounds (OTR) M [ 1 ] M [ 2 ] CAESAR submission by K. Minematsu � (Eurocrypt ’14) E N , 1 , 0 � K Rate-1 AE Tweakable blockcipher based Inverse-free version of OCB � (only needs E , not E − 1 ) E N , 1 , 1 � K Two rounds Feistel construction Defined for any block size n . C [ 1 ] C [ 2 ] Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 2 / 22

  3. Tweakable Blockcipher (TBC) [LRW02] Add a public input to a blockcipher – the tweak – to add variability. Each tweak T ∈ T (the tweak space) yields an independent pseudo-random permutation. Tweakable Blockcipher (a.k.a tweakable PRP) The T ∈ T indexed permutation family � E K ( T , . ) is indistinguishable from a random permutation family π ( T , . ) E K ( .,. ) ⇒ 1 ] − P [ � � π ( .,. ) ⇒ 1 ] ≤ negl ( λ ) $ ← Perm ( T , n ) : A � $ P [ K ← K : A π Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 3 / 22

  4. OTR Encryption (1/2) M [ 1 ] M [ 2 ] M [ 2 ℓ − 3 ] M [ 2 ℓ − 2 ] � � E N , 1 , 0 � E N ,ℓ − 1 , 0 � K K . . . . . . � � E N , 1 , 1 E N ,ℓ − 1 , 1 � � K K C [ 1 ] C [ 2 ] C [ 2 ℓ − 3 ] C [ 2 ℓ − 2 ] Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 4 / 22

  5. OTR Encryption (2/2) if m is even if m is odd Tag 0 n M [ m − 1 ] M [ m ] M [ m ] � E N ,ℓ, 0 � Σ msb K E N ,ℓ, 1 � K � E ∗ , N ,ℓ, b 1 , b 2 � E N ,ℓ, 1 � pad � K K msb C [ m − 1 ] C [ m ] C [ m ] T Σ = M [ 2 ] ⊕ . . . ⊕ M [ m − 2 ] Σ = M [ 2 ] ⊕ . . . ⊕ M [ m − 1 ] ⊕ Z ⊕ C [ m ] ⊕ M [ m ] Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 5 / 22

  6. OTR’s security Theorem (Theorem 3 of [Min14]) If � E is a tweakable PRP, OTR is CPA-secure (confidentiality) and INT-CTXT-secure (unforgeability). Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 6 / 22

  7. Instantiating the TBC Remark We are working in F 2 n represented as F 2 [ X ] / ( P ( X )) with P is a degree n primitive polynomial in F 2 . Use the XE construction: � E N , i , j ( M ) = E K ( M + ∆ N i , j ) K M In [Rog04]: ∆ N i , j = X i ( X + 1 ) j δ with δ = E K ( N ) � ∆ N i , j ∆ N i + 1 , j = X · ∆ N i , j E K ∆ N i , j + 1 = ( X + 1 ) · ∆ N i , j C Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 7 / 22

  8. Instantiating the TBC Remark We are working in F 2 n represented as F 2 [ X ] / ( P ( X )) with P is a degree n primitive polynomial in F 2 . In OTRv1-v2 [Min14], for efficiency, an other masking scheme is used: M � ∆ N i , b = ( X i + 1 + b ) δ ∆ N i , j ℓ, b 1 , b 2 = [( X + 1 ) X ℓ + 1 + X · b 1 + b 1 + b 2 ] δ ∆ ∗ , N E K ∆ N i + 1 , 0 = X · ∆ N C i , 0 ∆ N i , 1 = ∆ N i , 0 + δ Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 7 / 22

  9. The flaw Lemma (Lemma 1 of [Min14]) The TBC is indistinguishable from a tweakable PRP. The proof of this lemma relies on the following claim Claim � � X i + 1 δ, ( X i + 1 + 1 ) δ, Let S 1 ( δ ) = � � ( X i + 2 + X i + 1 + b 1 X + b 2 ) δ ∪ i = 1 , b 1 ∈{ 0 , 1 } , b 2 ∈{ 0 , 1 } The elements of S 1 ( δ ) are pairwise different. Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 8 / 22

  10. The flaw Lemma (Lemma 1 of [Min14]) The TBC is indistinguishable from a tweakable PRP. The proof of this lemma relies on the following claim Claim � � X i + 1 δ, ( X i + 1 + 1 ) δ, Let S 1 ( δ ) = � � ( X i + 2 + X i + 1 + b 1 X + b 2 ) δ ∪ i = 1 , b 1 ∈{ 0 , 1 } , b 2 ∈{ 0 , 1 } The elements of S 1 ( δ ) are pairwise different. Our attack This is not true in general! Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 8 / 22

  11. The trick In [Rog04], bound i and j , so that i + α j are all different, with α = log X ( X + 1 ) ⇒ { X i ( X + 1 ) j } are pairwise distinct. Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 9 / 22

  12. The trick In [Rog04], bound i and j , so that i + α j are all different, with α = log X ( X + 1 ) ⇒ { X i ( X + 1 ) j } are pairwise distinct. In [Min14], we cannot show that, for some q , elements are pairwise distinct in � � � � X i + 1 , X i + 1 + 1 X i + 2 + X i + 1 + b 1 X + b 2 ∪ 1 ≤ i ≤ q , ( b 1 , b 2 ) ∈{ 0 , 1 } 2 . Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 9 / 22

  13. The trick In [Rog04], bound i and j , so that i + α j are all different, with α = log X ( X + 1 ) ⇒ { X i ( X + 1 ) j } are pairwise distinct. In [Min14], we cannot show that, for some q , elements are pairwise distinct in � � � � X i + 1 , X i + 1 + 1 X i + 2 + X i + 1 + b 1 X + b 2 ∪ 1 ≤ i ≤ q , ( b 1 , b 2 ) ∈{ 0 , 1 } 2 . If P ( X ) = X n + X j + 1, there is a collision between X n and X j + 1 in F 2 n = F 2 [ X ] / ( P ( X )) . Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 9 / 22

  14. The trick In [Rog04], bound i and j , so that i + α j are all different, with α = log X ( X + 1 ) ⇒ { X i ( X + 1 ) j } are pairwise distinct. In [Min14], we cannot show that, for some q , elements are pairwise distinct in � � � � X i + 1 , X i + 1 + 1 X i + 2 + X i + 1 + b 1 X + b 2 ∪ 1 ≤ i ≤ q , ( b 1 , b 2 ) ∈{ 0 , 1 } 2 . If P ( X ) = X n + X j + 1, there is a collision between X n and X j + 1 in F 2 n = F 2 [ X ] / ( P ( X )) . For more than half of n ≤ 10000, there is an irreducible trinomial P . Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 9 / 22

  15. For actual block sizes ( n = 64 , 128)? If 8 | n , F 2 n = F 2 [ X ] / ( P ( X )) with P with at least 5 non-zero coefficient ( P ( X ) = X n + X j 1 + X j 2 + X j 3 + 1). ⇒ no immediate collision in general. Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 10 / 22

  16. For actual block sizes ( n = 64 , 128)? If 8 | n , F 2 n = F 2 [ X ] / ( P ( X )) with P with at least 5 non-zero coefficient ( P ( X ) = X n + X j 1 + X j 2 + X j 3 + 1). ⇒ no immediate collision in general. For SW/HW efficiency, we usually choose P such that its non-zero coefficients are close to each other, preferably in the least significant bytes. P 64 ( X ) = X 64 + X 4 + X 3 + X + 1 P 128 ( X ) = X 128 + X 7 + X 2 + X + 1 Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 10 / 22

  17. For actual block sizes ( n = 64 , 128)? If 8 | n , F 2 n = F 2 [ X ] / ( P ( X )) with P with at least 5 non-zero coefficient ( P ( X ) = X n + X j 1 + X j 2 + X j 3 + 1). ⇒ no immediate collision in general. For SW/HW efficiency, we usually choose P such that its non-zero coefficients are close to each other, preferably in the least significant bytes. P 64 ( X ) = X 64 + X 4 + X 3 + X + 1 P 128 ( X ) = X 128 + X 7 + X 2 + X + 1 For n = 64 with the usual P , we have a collision of the type X i = X j + 1 + X j + X + 1 : X 64 = X 4 + X 3 + X + 1 Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 10 / 22

  18. Consequences Problem There is a flaw in the proof of OTR, even for practical parameters. Does the confidentiality of OTR break? Does the unforgeability of OTR break? Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 11 / 22

  19. Typology of collisions � � � � X i + 1 , X i + 1 + 1 X i + 2 + X i + 1 + b 1 X + b 2 1 ≤ i ≤ q ∪ 1 ≤ i ≤ q , ( b 1 , b 2 ) ∈{ 0 , 1 } 2 There are three types of collision among the tweaks’ polynomials: X i = X j + 1 (1) X i = X j + 1 + X j + r ( X ) (2) X i + 1 + X i = X j + 1 + X j + r ( X ) (3) with r ( X ) ∈ { 0 , 1 , X , X + 1 } . Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 12 / 22

  20. Attacks Out attack Type 1 ( X i = X j + 1) Break confidentiality and unforgeability. Type 2 ( X i = X j + 1 + X j + r ( X ) ) Break confidentiality if i < j . Break unforgeability o/w. Type 3 ( X i + 1 + X i = X j + 1 + X j + r ( X ) ) Break unforgeability. Idea: use the collision to have relations between block cipher’s inputs and create collisions on the outputs. Only one query to the encryption oracle, with a message of max ( i , j ) blocks. For n = 64: 1 kB message. Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 13 / 22

  21. n = 128 in practice Usually, for n = 128, we choose P ( X ) = X 128 + X 7 + X 2 + X + 1 . There is no trivial collision. Remark This is not true for all irreducible P of degree 128. Ex: P ( X ) = X 128 + X 127 + X 61 + X 60 + 1 Can we find a collision among tweaks polynomials? Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 14 / 22

  22. In search for lost collision We are only interested in collisions with i and j < 2 64 : the security proof of OTR only holds up to the birthday bound. Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 15 / 22

  23. In search for lost collision We are only interested in collisions with i and j < 2 64 : the security proof of OTR only holds up to the birthday bound. We cannot find such collisions by constructing a collision in F 2 64 and then lifting it in F 2 128 . Raphael Bost, Olivier Sanders Trick or Tweak Asiacrypt ’16 15 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tweak twig with awesome Vue.js by Tejomay Saha Tweak twig with awesome Vue.js by Tejomay

Tweak twig with awesome Vue.js by Tejomay Saha Tweak twig with awesome Vue.js by Tejomay

Tweak twig with awesome Vue.js by Tejomay Saha Tweak twig with awesome Vue.js by Tejomay Saha Hello! I am Tejomay Saha @tejomayonline I am here as I love learning and expressing new techs stuffs to ease coding. Working at Srijan

865 views • 42 slides
Related-Tweak Statistical Saturation Cryptanalysis and Its Application on QARMA Muzhou Li Key Lab

Related-Tweak Statistical Saturation Cryptanalysis and Its Application on QARMA Muzhou Li Key Lab

Related-Tweak Statistical Saturation Cryptanalysis and Its Application on QARMA Muzhou Li Key Lab of Cryptologic Technology and Information Security Ministry of Education, Shandong University, China Joint work with Kai Hu, Meiqin Wang March 27,

625 views • 30 slides
THE BEST CARD TRICK MICHAEL KLEBER In Mathematical Intelligencer 24 #1 (Winter 2002) You, my

THE BEST CARD TRICK MICHAEL KLEBER In Mathematical Intelligencer 24 #1 (Winter 2002) You, my

THE BEST CARD TRICK MICHAEL KLEBER In Mathematical Intelligencer 24 #1 (Winter 2002) You, my friend, are about to witness the best card trick there is. Here, take this ordinary deck of cards, and draw a hand of five cards from it. Choose them

404 views • 5 slides
More $ (caches, yes) Trick or treat! Midterm

More $ (caches, yes) Trick or treat! Midterm

University of Washington More $ (caches, yes) Trick or treat! Midterm ques&gt;ons? Note: prac+ce midterms posted HW 2 due today Lab

1.15k views • 70 slides
The trick in biology is to select, from the thousands of facts that you know, the three that are

The trick in biology is to select, from the thousands of facts that you know, the three that are

The trick in biology is to select, from the thousands of facts that you know, the three that are relevant to your problem, and to not be disturbed that they contradict each other. Eric Wieschaus (paraphrased) Mark Voorhies 3D Structures 3D

790 views • 11 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
50 Ways to Tweak Your Paper Some Comments on Paper Writing and Reviewing Johannes Frnkranz TU

50 Ways to Tweak Your Paper Some Comments on Paper Writing and Reviewing Johannes Frnkranz TU

50 Ways to Tweak Your Paper Some Comments on Paper Writing and Reviewing Johannes Frnkranz TU Darmstadt Knowledge Engineering Group Hochschulstrasse 10 D-64289 Darmstadt juffi@ke.tu-darmstadt.de ECML/PKDD 2017 | J. Frnkranz How did I

492 views • 32 slides
Never miss a bus again with this one crazy trick Cooper Sloan Background - Undergrad: MIT, BS

Never miss a bus again with this one crazy trick Cooper Sloan Background - Undergrad: MIT, BS

Never miss a bus again with this one crazy trick Cooper Sloan Background - Undergrad: MIT, BS in Computer Science - Masters: MIT, MEng in Artificial Intelligence Overview Problem Risks/Challenges Implementation Final Design

327 views • 14 slides
Learning to Trick Robots into Cooperative Behavior Jen Jen Chung Autonomous

Learning to Trick Robots into Cooperative Behavior Jen Jen Chung Autonomous

Learning to Trick Robots into Cooperative Behavior Jen Jen Chung Autonomous Agents and Distributed Intelligence Lab Oregon State University UAV Package Delivery Increasing interest

525 views • 23 slides
Dissections, Hom-complexes and the Cayley Trick Julian Pfeifle MA II, Universitat Politcnica

Dissections, Hom-complexes and the Cayley Trick Julian Pfeifle MA II, Universitat Politcnica

Introduction The Cayley trick Hom-complexes Dissection complexes Dissections, Hom-complexes and the Cayley Trick Julian Pfeifle MA II, Universitat Politcnica de Catalunya julian.pfeifle@upc.edu Work in progress Introduction The Cayley

976 views • 70 slides
Tweak Your Modules! Java Platform Module System Stephan Herrmann Simply Retail. J JDT embraces

Tweak Your Modules! Java Platform Module System Stephan Herrmann Simply Retail. J JDT embraces

J D T Tweak Your Modules! Java Platform Module System Stephan Herrmann Simply Retail. J JDT embraces Java 9 / Part II D T We've all migrated to Java 11 From here adopting new Java versions is a breeze Compatibility for all!

664 views • 17 slides
The real trick to writing a script or novel that will sell is to know and use Hollywoods

The real trick to writing a script or novel that will sell is to know and use Hollywoods

The real trick to writing a script or novel that will sell is to know and use Hollywoods central marketing strategy. And that can be summed up in one word: genres. The key decision is: which genres should I use for this idea? Instead of

757 views • 28 slides
A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick browser to execute code without user knowledge CSRF Trick browser to access sensitive pages without user knowledge CSRF Vulnerability Pattern

284 views • 11 slides
More Than a One Trick Pony Diggers &amp; Dealers August 2014 ASX: RXL 1 1 Disclaimers

More Than a One Trick Pony Diggers &amp; Dealers August 2014 ASX: RXL 1 1 Disclaimers

More Than a One Trick Pony Diggers &amp; Dealers August 2014 ASX: RXL 1 1 Disclaimers Forward-Looking Statements Competent Person Statements This presentation has been prepared by Rox Resources Limited. This document contains background

527 views • 17 slides
Learning From Data Lecture 25 The Kernel Trick Learning with only inner products The Kernel M.

Learning From Data Lecture 25 The Kernel Trick Learning with only inner products The Kernel M.

Learning From Data Lecture 25 The Kernel Trick Learning with only inner products The Kernel M. Magdon-Ismail CSCI 4100/6100 recap: Large Margin is Better Controling Overfitting Non-Separable Data 0.08 random hyperplane 2 w t w + C N E

576 views • 18 slides
Is Samba 4 AD Ready for Global Enterprise? It is with the ONE WEIRD TRICK click here But

Is Samba 4 AD Ready for Global Enterprise? It is with the ONE WEIRD TRICK click here But

Is Samba 4 AD Ready for Global Enterprise? It is with the ONE WEIRD TRICK click here But first... Disclaimer This presentation, the content and opinions contained within are the author's own and do not reflect the views or opinions of

509 views • 46 slides
RTWG Report to the MOPC November 4, 2013 Dennis Reed Chairman RTWG 1 11/1/2013 APPROVAL

RTWG Report to the MOPC November 4, 2013 Dennis Reed Chairman RTWG 1 11/1/2013 APPROVAL

11/1/2013 RTWG Report to the MOPC November 4, 2013 Dennis Reed Chairman RTWG 1 11/1/2013 APPROVAL ITEMS: MARKETPLACE COMPLIANCE REVISION REQUESTS 3 MCRRs Integrated Marketplace MCRR 100 (p39 41 50) Must Offer Requirement As

426 views • 23 slides
BEYOND MEAN-FIELD APPROXIMATION AURLIEN DECELLE LABORATOIRE DE RECHERCHE EN INFORMATIQUE

BEYOND MEAN-FIELD APPROXIMATION AURLIEN DECELLE LABORATOIRE DE RECHERCHE EN INFORMATIQUE

BEYOND MEAN-FIELD APPROXIMATION AURLIEN DECELLE LABORATOIRE DE RECHERCHE EN INFORMATIQUE UNIVERSIT PARIS SUD MOTIVATIONS Why inverse problems ? In Machine Learning online recognition tasks In Physics understanding a

754 views • 40 slides
High-Resolution MPAS Simulations for Analysis of Climate Change Effects on Weather Extremes

High-Resolution MPAS Simulations for Analysis of Climate Change Effects on Weather Extremes

High-Resolution MPAS Simulations for Analysis of Climate Change Effects on Weather Extremes ALLISON MICHAELIS, GARY LACKMANN, &amp; WALT ROBINSON Department of Marine, Earth, and Atmospheric Sciences, North Carolina State University GEWEX

195 views • 18 slides
Positioning Ones-Self in the Research Process : eliminating pseudo-science, a split personality

Positioning Ones-Self in the Research Process : eliminating pseudo-science, a split personality

Positioning Ones-Self in the Research Process : eliminating pseudo-science, a split personality and narcissism in combined arts and science research projects at Wrexham Glyndwr University DrSusan Liggett (s.liggett@glyndwr.ac.uk); Karen Heald

392 views • 24 slides
Hagedorn (2016)

Hagedorn (2016)

Hagedorn (2016) Forgiveness 1 Helping Clients with Forgiveness Work W. Bryce Hagedorn, PhD, LMHC, NCC,

69 views • 4 slides
Reducing the Carbon Footprint in South Carolina Ethan R. Ware 1441 Main Street, Suite 1250

Reducing the Carbon Footprint in South Carolina Ethan R. Ware 1441 Main Street, Suite 1250

Reducing the Carbon Footprint in South Carolina Ethan R. Ware 1441 Main Street, Suite 1250 Columbia, South Carolina 29201 Williams Mullen eware@williamsmullen.com 803-567-4610 Understanding How to Reduce Carbon Footprints is Simple 22

552 views • 39 slides
TOWARDS A GENERAL THEORY OF DEEP DOWNTURNS Joseph E. Stiglitz Trento June, 2015 2 Deep

TOWARDS A GENERAL THEORY OF DEEP DOWNTURNS Joseph E. Stiglitz Trento June, 2015 2 Deep

TOWARDS A GENERAL THEORY OF DEEP DOWNTURNS Joseph E. Stiglitz Trento June, 2015 2 Deep downturns The world has been plagued by episodic deep downturns 2008 crisis most recent In spite of alleged better knowledge of economic

544 views • 43 slides
Verification and Validation for Safety in Robots Kerstin Eder Design Automation and Verification

Verification and Validation for Safety in Robots Kerstin Eder Design Automation and Verification

Verification and Validation for Safety in Robots Kerstin Eder Design Automation and Verification Trustworthy Systems Laboratory Verification and Validation for Safety in Robots, Bristol Robotics Laboratory Verification and Validation for Safety

1.29k views • 72 slides

More recommend