zmac a fast tweakable block cipher mode for highly secure
play

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message - PowerPoint PPT Presentation

Nov 25, 2022 •28 likes •378 views

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata 1 Kazuhiko Minematsu 2 Thomas Peyrin 3 Yannick Seurin 4 1 Nagoya University (Japan) and 2 NEC (Japan) 3 NTU (Singapore) and 4 ANSSI (France)

  1. ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication Tetsu Iwata ∗ 1 Kazuhiko Minematsu 2 Thomas Peyrin † 3 Yannick Seurin ‡ 4 1 Nagoya University (Japan) and 2 NEC (Japan) 3 NTU (Singapore) and 4 ANSSI (France) CRYPTO 2017, California USA August 22, 2017 ∗ Supported by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B), Grant Number 26280045 † Supported by Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06) and Temasek Labs (DSOCL16194) † Partially supported by French Agence Nationale de la Recherche through the BRUTUS project under Contract ANR-14-CE28-0015 1 / 28

  2. Introduction: Message Authentication Code (MAC) • Symmetric-key Crypto for tampering detection • MAC : K × { 0 , 1 } ∗ → T • Alice computes Tag = MAC ( K, M ) = MAC K ( M ) and sends ( M, Tag ) to Bob • Bob checks if ( M, Tag ) is authentic by computing tag locally • If MAC K ( ∗ ) is a variable-input-length PRF , it is secure 2 / 28

  3. Tweakable Block Cipher (TBC) Extension of ordinal Block Cipher (BC), formalized by Liskov et al. [LRW02] • � E : K × T × M → M , tweak T ∈ T is a public input • ( K, T ) ∈ K × T specifies a permutation over M • Let M = { 0 , 1 } n and T = { 0 , 1 } t We implicitly assume additional small tweak i = 1 , 2 , . . . , used for domain separation , and write as � E i K ( T, X ) when necessary 3 / 28

  4. Building TBC Block cipher modes for TBC: LRW [LRW02] and XEX [Rog04] • Efficient but security is up to the birthday bound ( O (2 64 ) attack when AES is used) • Beyond-the-birthday-bound (BBB) security is possible (e.g. [Min09][LST12][LS15]) but not really efficient Dedicated designs: • HPC [Sch98] • Threefish in Skein hash function [FLS+10] • Deoxys-BC, Joltik-BC, KIASU-BC [JNP14a], SCREAM [GLS+14], – in the CAESAR submissions • SKINNY [BJK+16], QARMA [Ava17], . . . 4 / 28

  5. Security notions of TBC [LRW02] • Indistinguishable from the set of independent uniform random permutations indexed by tweak – Tweakable uniform random permutation (TURP) denoted by � P – Tweak is chosen by the adversary • CCA-secure TBC = TSPRP � � E − 1 − 1 � E K � P P K A 5 / 28

  6. Security notions of TBC [LRW02] • Indistinguishable from the set of independent uniform random permutations indexed by tweak – Tweakable uniform random permutation (TURP) denoted by � P – Tweak is chosen by the adversary • CCA-secure TBC = TSPRP • CPA-secure TBC = TPRP � � E K P A 5 / 28

  7. Building MAC with TBC : PMAC1 PMAC1 by Rogaway [Rog04], introduced in the proof of PMAC • Parallel • Security is up to the birthday bound wrt the block size ( n ) – Adv tprp PMAC1 ( σ ) = O ( σ 2 / 2 n ) for σ queried blocks – Thus n/ 2 -bit security M [1] M [2] M [3] M [4] � � � 1 2 3 E K E K E K � 4 E K 0 n Tag PMAC1 6 / 28

  8. Building MAC with TBC: PMAC TBC1k PMAC TBC1k by Naito [Nai15] • 2 n -bit chaining similar to PMAC Plus [Yas11] – Finalization by 2 n -bit PRF built from TBC • BBB-secure: improve security of PMAC1 to n bits • Same computation cost as PMAC1 (except for the finalization) M [1] M [2] M [3] � 1 � 2 � 3 E K E K E K 0 n 2 2 2 2 2 2 0 n � �� � multiplication by 2 over GF(2 n ) PMAC TBC1k (message hashing part) 7 / 28

  9. Efficiency of MAC These TBC-based MACs are not optimally efficient • They process n -bit input per 1 TBC call • t -bit tweak does not process message – reserved for block index 8 / 28

  10. Efficiency of MAC These TBC-based MACs are not optimally efficient • They process n -bit input per 1 TBC call • t -bit tweak does not process message – reserved for block index Optimally-efficient TBC-based MAC? 8 / 28

  11. Our proposals: ZMAC (“The MAC”) and ZAE ZMAC is • The first optimally efficient TBC-based MAC – ( n + t ) -bit input per 1 TBC call • Parellel, and BBB-secure – min { n, ( n + t ) / 2 } -bit security, e.g. n -bit-secure when t ≥ n ZAE is • An application of ZMAC to Determinisitic Authenticated Encryption (DAE) [RS06] • Better efficiency and security than SCT presented at CRYPTO 2016 [PS16] Both using TBC as a sole primitive, and secure if TBC is a TPRP 9 / 28

  12. Structure of ZMAC A simple composition of message hashing and finalization (Carter-Wegman MAC): • ZMAC = ZFIN ◦ ZHASH • ZHASH : M → { 0 , 1 } n + t is a computational universal hash function • ZFIN : { 0 , 1 } n + t → { 0 , 1 } 2 n is a PRF – Output truncation if needed Unified specs for any t ( t = n or t < n or t > n ) 10 / 28

  13. Structure of ZMAC A simple composition of message hashing and finalization (Carter-Wegman MAC): • ZMAC = ZFIN ◦ ZHASH • ZHASH : M → { 0 , 1 } n + t is a computational universal hash function • ZFIN : { 0 , 1 } n + t → { 0 , 1 } 2 n is a PRF – Output truncation if needed Unified specs for any t ( t = n or t < n or t > n ) We focus on ZHASH , the most innovative part in ZMAC 10 / 28

  14. How ZHASH works: tweak extension Optimal efficiency implies t -bit tweak of � E must be extended to incorporate block index This can be done by XTX [MI15], an extension of LRW and XEX: • Global tweak G ∈ G , |G| > 2 t • Keyed function H : L × G → ( { 0 , 1 } n × { 0 , 1 } t ) • XTX [ � E, H ] K,L ( G, X ) = � E K ( W t , W n ⊕ X ) ⊕ W n with ( W n , W t ) = H L ( G ) 11 / 28

  15. How ZHASH works: security of XTX/XT XTX is secure if H is ǫ -partial AXU (pAXU) [MI15] : $ ← L : H L ( G ) ⊕ H L ( G ′ ) = ( δ, 0 t )] ≤ ǫ G � = G ′ ,δ ∈{ 0 , 1 } n Pr[ L max that is, n -bit part is close to differentially uniform and t -bit part has a small collision probability 12 / 28

  16. How ZHASH works: security of XTX/XT { 0 , 1 } t † , and block index is a counter In our case, G ∈ × N ���� � �� � block index message part Then XTX can be instantiated and optimized by • Using the “doubling” trick as XEX • Omitting the outer mask to Y (as decryption is not needed) † Omitting domain separation variable 13 / 28

  17. How ZHASH works: security of XTX/XT The resulting scheme is XT , using H L ( G ) defined as H ( L ℓ ,L r ) ( T, i ) = (2 i − 1 L ℓ , 2 i − 1 L r ⊕ t T ) , using two n -bit keys ( L ℓ , L r ) Details: • 2 i X is X multiplied by 2 over GF (2 n ) for i times – Computation is easy by caching 2 i − 1 X as done in XEX • X ⊕ t Y = msb t ( X ) ⊕ Y if t ≤ n , ( X � 0 t − n ) ⊕ Y if t > n – Chop-or-pad before sum 14 / 28

  18. How ZHASH works: security of XTX/XT Lemma P : T × { 0 , 1 } n → { 0 , 1 } n be a TURP and H is ǫ -pAXU. Then, Let � P ,H ] ( q ) ≤ q 2 ǫ Adv tprp 2 . XT [ � and our H is 1 / 2 n +min { n,t } -pAXU. Thus, q 2 Adv tprp P ,H ] ( q ) ≤ 2 n +min { n,t } +1 . XT [ � Therefore, XT has min { n, ( n + t ) / 2 } -bit, BBB-security 15 / 28

  19. How ZHASH works: chaining scheme Given XT, it’s easy to apply it in the PMAC-like single-chaining hashing scheme • Message is divided into ( n + t ) -bit blocks, ( X ℓ [ i ] , X r [ i ]) for i = 1 , 2 , . . . • This is optimally efficient, but security is up to the birthday bound ... Collision w/ 2 (n/2) queries 16 / 28

  20. How ZHASH works: chaining scheme Given XT, it’s easy to apply it in the PMAC-like single-chaining hashing scheme • Message is divided into ( n + t ) -bit blocks, ( X ℓ [ i ] , X r [ i ]) for i = 1 , 2 , . . . • This is optimally efficient, but security is up to the birthday bound • Need a larger chaining value ... Collision w/ 2 (n/2) queries 16 / 28

  21. How ZHASH works: chaining scheme • Naive use of 2 n -bit chaining scheme [Nai15][Yas11] doesn’t work – XT output collision still breaks the scheme ... ... Collision w/ 2 (n/2) queries 17 / 28

  22. How ZHASH works: chaining scheme • Key observation: to avoid these collision attacks, the process of ( X ℓ , X r ) (the dotted box) must be a permutation • A Feistel-like 1-round permutation works ( ZHASH ) ... ... ZHASH 18 / 28

  23. How ZHASH works: chaining scheme • Key observation: to avoid these collision attacks, the process of ( X ℓ , X r ) (the dotted box) must be a permutation • A Feistel-like 1-round permutation works ( ZHASH ) ... ... ZHASH Lemma ZHASH (w/ XT using TURP) is ǫ -almost universal for ǫ = 4 / 2 n +min { n,t } 18 / 28

  24. Full ZHASH Input: X = ( X [1] , . . . , X [ m ]) , | X [ i ] | = n + t Output ( U, V ) , | U | = n , | V | = t X [1] X [2] X [ m ] X ℓ X r X ℓ X r X ℓ X r 2 m − 1 · L ℓ L ℓ 2 · L ℓ 2 m − 1 · L r L r 2 · L r . . . � � � E 8 E 8 E 8 K K K t t t t t t 0 t V . . . 2 2 2 0 n U Details: • X ⊕ t Y = msb t ( X ) ⊕ Y if t ≤ n , ( X � 0 t − n ) ⊕ Y if t > n • 2 · X : multiplication by 2 • L ℓ and L r : two n -bit masks from � E K w/ domain separation 19 / 28

  25. ZFIN ZFIN simply encrypts U with tweak V twice (for each n -bit output) and takes a sum (with domain separation) U U U U E i � E i +1 � E i +2 � E i +3 � V V V V K K K K Y [1] Y [2] PRF security of ZFIN • ZFIN is essentially “Sum of Permutations” [Luc00, BI99, Pat08a, Pat13, CLP14, MN17] • From a recent result by Dai et al. [DHT17], ZFIN is n -bit secure Lemma � q � 3 / 2 Adv prf P ] ( q ) ≤ 2 ZFIN [ � 2 n 20 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input &quot;tweak - Tweaks are publicly used

519 views • 30 slides
Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline Tweakable block ciphers Our contribution Proof overview Conclusion 2 Tweakable Block Ciphers (TBCs)

362 views • 35 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
The RC6 Block Cipher: A simple fast secure AES proposal Ronald L. Rivest MIT Matt Robshaw

The RC6 Block Cipher: A simple fast secure AES proposal Ronald L. Rivest MIT Matt Robshaw

The RC6 Block Cipher: A simple fast secure AES proposal Ronald L. Rivest MIT Matt Robshaw RSA Labs Ray Sidney RSA Labs Yiqun Lisa Yin RSA Labs (August 21, 1998) Outline Design Philosophy Description of RC6

1k views • 38 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t

The RC6 Block Cipher: A simple f ast secure AES proposal Ronald L. Rivest MI T Mat t Robshaw RSA Labs Ray Sidney RSA Labs Yiqun Lisa Yin RSA Labs (August 21, 1998) Out line N Design Philosophy N Descr ipt ion of

421 views • 19 slides
PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m (stream) Enc One-time Encryption with a stream-cipher: SC K Generate a one-time pad from a short seed Can share just the seed as the key Mask

1.33k views • 102 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI,

Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI,

Tweakable BC Tweakable EM Birthday Security BBB Security Conclusion Constructing Tweakable Block Ciphers in the Random Permutation Model Yannick Seurin ANSSI, France September 30, 2015 ASK 2015 Based on joint work with Benot Cogliati

1.79k views • 120 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S. Klbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany

1.18k views • 41 slides
NRC Briefing on Proposed Rule on Part 35 Medical Events Definition-Permanent Implant

NRC Briefing on Proposed Rule on Part 35 Medical Events Definition-Permanent Implant

NRC Briefing on Proposed Rule on Part 35 Medical Events Definition-Permanent Implant Brachytherapy July 8, 2010 Brian J. Davis, M.D., Ph.D. American Brachytherapy Society Past Chairman (2009-2010) President (2008-2009) Associate

72 views • 6 slides
Transplantation Rejection of foreign tissue grafts is due to immune responses to alloantigens

Transplantation Rejection of foreign tissue grafts is due to immune responses to alloantigens

Transplantation Rejection of foreign tissue grafts is due to immune responses to alloantigens on the graft Blood group antigens Polymorphic MHC antigens Minor histocompatibility antigens B Menu F Alloantigen Presentation

415 views • 3 slides
Current situation of Organ Transplantation and Social Background in Japan and Social Background

Current situation of Organ Transplantation and Social Background in Japan and Social Background

Current situation of Organ Transplantation and Social Background in Japan and Social Background in Japan Teleconference at APAN 2011-8-25 Naohiko Fukami, M.D., Jyunichi Yoshida, M.D., Atsushi Sugitani, M.D., Ph.D. Department of Urology and

645 views • 26 slides
Partnering For Care: Help Your CF Care Center Help You Thrive August 19, 2010 This Web cast is

Partnering For Care: Help Your CF Care Center Help You Thrive August 19, 2010 This Web cast is

Partnering For Care: Help Your CF Care Center Help You Thrive August 19, 2010 This Web cast is supported by an unrestricted educational grant from Genentech, Inc. Archived CF Education Web Casts www.cff.org/LivingWithCF/Webcasts ff /Li i

847 views • 50 slides
ZMAC: Specification, Security Proof, and Instantiation Updates Tetsu Iwata Nagoya

ZMAC: Specification, Security Proof, and Instantiation Updates Tetsu Iwata Nagoya

ZMAC: Specification, Security Proof, and Instantiation Updates Tetsu Iwata Nagoya University, Japan Joint work with Kazuhiko Minematsu, Thomas Peyrin, and Yannick Seurin ASK 2017 Fenglin Hotel, Changsha, China December 10, 2017

687 views • 42 slides
395 L 30 bith .f Fcpar trdJ 6e!r;Fo.f F hr \' et!. /,.arr o/r/f. fq'.o/o,''e&quot;tu(

395 L 30 bith .f Fcpar trdJ 6e!r;Fo.f F hr \' et!. /,.arr o/r/f. fq'.o/o,''e&quot;tu(

395 L 30 bith .f Fcpar trdJ 6e!r;Fo.f F hr \' et!. /,.arr o/r/f. fq'.o/o,''e&quot;tu( ex.! Fer ae -f 5f Fe,-J t ch.cl. s sofl. t, re*! fhd &quot;f vr !o /e ho'.s. &quot;* (, ,) g's. tff. vlx { Revle!, r Lr. elr h

578 views • 20 slides
Playing with Robots: An Interactive Simon Game Msra Turp, Jos Carlos Pulido, Jos Carlos

Playing with Robots: An Interactive Simon Game Msra Turp, Jos Carlos Pulido, Jos Carlos

Playing with Robots: An Interactive Simon Game Msra Turp, Jos Carlos Pulido, Jos Carlos Gonzlez y Fernando Fernndez Institute for Process Control and Robotics (IPR), Automation and Robotics Planning and Learning Group November 11,

469 views • 19 slides
MBBS;FRACP;FACHI;FACMI UNDERSTANDING e-HEALTH AND WHY WE NEED IT. To improve care you have to

MBBS;FRACP;FACHI;FACMI UNDERSTANDING e-HEALTH AND WHY WE NEED IT. To improve care you have to

A/Prof. Terry J. Hannan MBBS;FRACP;FACHI;FACMI UNDERSTANDING e-HEALTH AND WHY WE NEED IT. To improve care you have to measure it. Information management is care (Don Berwick) Clinical computing 1976-2011. Current/Future data

1.02k views • 86 slides

More recommend