Pseudo-Random Functions and Parallelizable Modes of Operations of
Parallelizable and Authenticated Online Ciphers · 2013-12-04 · Results Table : Software...
Transcript of Parallelizable and Authenticated Online Ciphers · 2013-12-04 · Results Table : Software...
Parallelizable and Authenticated Online Ciphers1
Atul Luykx
COSICKU Leuven and iMinds
December 3, 2013
1Joint work with E. Andreeva, A. Bogdanov, B. Mennink, E. Tischhauser,
and K. Yasuda.1 / 24
Motivation: Authenticated Encryption
Authenticated Encryption (AE) = Privacy + Authenticity
1 Applications: SSH, IPsec, TLS, IEEE 802.11
2 CAESAR competition
’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12
IAPM OCB
XECB
CCM EAX
CWC
GCM
SIV BTM
HBS
McOE
Figure : AE schemes
2 / 24
Motivation: Nonce Misuse
AuthenticatedEncryption (AE)
Nonce Respecting
AEK AEK
M1
C1
M1
C2
N1
3 / 24
Motivation: Nonce Misuse
AuthenticatedEncryption (AE)
Nonce Respecting
AEK AEK
M1
C1
M1
C2
N1 N2
3 / 24
Motivation: Nonce Misuse
AuthenticatedEncryption (AE)
Nonce Respecting
AEK AEK AEK
M1
C1
M1
C2
M2
C3
N1 N2 N3
3 / 24
Motivation: Nonce Misuse
AuthenticatedEncryption (AE)
Nonce Respecting
AEK AEK AEK
M1
C1
M1
C2
M2
C3
N N N
3 / 24
Motivation: Nonce Misuse
AuthenticatedEncryption (AE)
Nonce Respecting
AEK AEK AEK
M1
C1
M1
C1
M2
C3
N N N
3 / 24
Motivation: Nonce Misuse
AuthenticatedEncryption (AE)
Nonce Respecting
’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12
IAPM OCB
XECB
CCM EAX
CWC
GCM
SIV BTM
HBS
McOE
3 / 24
Motivation: OCB With Nonce Repeated
M [1] M [2] M [3] M [4]
EK
C[1]
EK
C[2]
EK
C[3]
EK
C[4]
t1 t2 t3 t4
4 / 24
Motivation: OCB With Nonce Repeated
M [1] M [2] M [3] M [4]
EK
C[1]
EK
C[2]
EK
C[3]
EK
C[4]
t1 t2 t3 t4
4 / 24
Motivation: Nonce Misuse
AuthenticatedEncryption (AE)
Nonce Respecting
AEK AEK AEK
M1
C1
M1
C1
M2
C3
N N N
5 / 24
Motivation: Nonce Misuse
AuthenticatedEncryption (AE)
Nonce Respecting
Misuse Resistant AE (MRAE)
AEK AEK AEK
M1
C1
M1
C1
M2
C3
N N N
5 / 24
Motivation: Efficiency
’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12
IAPM OCB
XECB
CCM EAX
CWC
GCM
SIV BTM
HBS
McOE
SIV, BTM, HBS:
1 High latency (receive full message before first output)
2 Storage issues (large internal state)
McOE: inherently sequential
6 / 24
Motivation: Efficiency
’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12
IAPM OCB
XECB
CCM EAX
CWC
GCM
SIV BTM
HBS
McOE
SIV, BTM, HBS:
1 High latency (receive full message before first output)
2 Storage issues (large internal state)
McOE: inherently sequential
6 / 24
Motivation: Our Goal
Design an AE scheme that is
Online
Parallelizable
Misuse Resistant
Our method:
1 Create the first parallelizable online cipher: COPE
2 Add authenticity efficiently: COPA
7 / 24
Motivation: Our Goal
Design an AE scheme that is
Online
Parallelizable
Misuse Resistant
Our method:
1 Create the first parallelizable online cipher: COPE
2 Add authenticity efficiently: COPA
Our desired AE scheme: COPA
7 / 24
Background: Cipher Definition
M ∈ {0, 1}∗ M Cipher
K
C |M | = |C|
Cipher vs Encryption Scheme
Length-Preserving Not Necessarily
Deterministic Randomized, Stateful (nonce)
Indistinguishable from permutations Indistinguishable from random bits
8 / 24
Background: Achieving AE via Ciphers
Cipher
Authentication
MRAE
AE
Nonce Respecting
Variable Input Length
Block Cipher
9 / 24
Background: Online Cipher Definition
1 Same interface as a cipher
2 More efficient and“on-the-fly” computing
3 Different (weaker) securityrequirement: up to prefix
10 / 24
Background: Online Cipher Definition
1 Same interface as a cipher
2 More efficient and“on-the-fly” computing
3 Different (weaker) securityrequirement: up to prefix
M [1] M [2] M [3] M [4]
C[1] C[2] C[3] C[4]
Dependency in a cipher.
10 / 24
Background: Online Cipher Definition
1 Same interface as a cipher
2 More efficient and“on-the-fly” computing
3 Different (weaker) securityrequirement: up to prefix
M [1] M [2] M [3] M [4]
C[1] C[2] C[3] C[4]
Dependency in a cipher.
M [1] M [2] M [3] M [4]
C[1] C[2] C[3] C[4]
Dependency in an online cipher.
10 / 24
Background: Achieving AE Via Online Ciphers
AE
Nonce Respecting
MRAE
Cipher
Authentication
Variable Input Length
Block Cipher
11 / 24
Background: Achieving AE Via Online Ciphers
AE
Nonce Respecting
MRAE
Cipher
Authentication
Block Cipher
Variable Input Length
11 / 24
Background: Achieving AE Via Online Ciphers
AE
Nonce Respecting
MRAE
Cipher
Authentication
Block Cipher
Variable Input Length
MRAE “up to prefix”
Nonce Respecting
Online Cipher
Authentication
11 / 24
Existing Work
1 HCBC1, HCBC2 (BBKN, Crypto ’01)
2 MHCBC, MCBC (Nandi, Indocrypt ’08)
3 Rewritten with tweakable block ciphers: TC1, TC2, TC3(Rogaway and Zhang, CT-RSA ’11)
4 McOE family (FFL, FSE ’12): TC3 with authentication
All schemes are inherently sequential.
12 / 24
Achieving Parallelizability
M [1] M [2] M [3] M [4]
EK
C[1]
EK
C[2]
EK
C[3]
EK
C[4]
t1 t2 t3 t4
14 / 24
Achieving Parallelizability
M [1] M [2] M [3] M [4]
EK EK EK EKt1 t2 t3 t4
C[1] C[2] C[3] C[4]
14 / 24
Achieving Parallelizability
M [1] M [2] M [3] M [4]
EK EK EK EKt1 t2 t3 t4
C[1] C[2] C[3] C[4]
EK EK EK EKt5 t6 t7 t8
14 / 24
Achieving Parallelizability
M [1] M [2] M [3] M [4]
EK EK EK EKt1 t2 t3 t4
EK EK EK EKt5 t6 t7 t8
+ + +
14 / 24
Achieving Parallelizability
M [1] M [2] M [3] M [4]
EK EK EK EKt1 t2 t3 t4
EK EK EK EKt5 t6 t7 t8
+ + +
C[1] C[2] C[3] C[4]
14 / 24
Our Online Cipher: COPE
M [1] M [2] M [3] M [4]
EK EK EK EK20 · 3L 21 · 3L 22 · 3L 23 · 3L
EK EK EK EK21L 22L 23L 24L
+ + +
C[1] C[2] C[3] C[4]
L := EK(0)
15 / 24
Our Authenticated Online Cipher: COPA
M [1] M [2] M [3] M [4]
EK EK EK EK20 · 3L 21 · 3L 22 · 3L 23 · 3L
EK EK EK EK21L 22L 23L 24L
+ + + +
C[1] C[2] C[3] C[4]
SV
COPE
M [1]⊕M [2]⊕M [3]⊕M [4]
EK2332L
+S
EK237L
T
Note: COPA also accepts associated data (while maintainingparallelizability)
17 / 24
Security
σ: total length of all queries in number of blocksa ≈ 40, b ≈ 4
Advcpa
COPE(t, σ) ≤a·σ2
2n+Adv
prp±1E
(t′, b · σ)
Advcpa
COPA(t, σ) ≤a·σ
2
2n+Adv
prp±1
E(t′, b · σ)
AdvintCOPA(t, σ) ≤
a·σ2
2n+Adv
prp±1
E(t′, b · σ)
18 / 24
Security: Proof Idea
M [1] M [2] M [3] M [4]
EK EK EK EK20 · 3L 21 · 3L 22 · 3L 23 · 3L
EK EK EK EK21L 22L 23L 24L
+ + +
C[1] C[2] C[3] C[4]
L := EK(0)
19 / 24
Security: Proof Idea
M [1] M [2] M [3] M [4]
π1 π2 π3 π4
π5 π6 π7 π8
+ + +
C[1] C[2] C[3] C[4]
19 / 24
Security: Proof Idea
M [1] M [2] M [3] M [4]
π1 π2 π3 π4
π5 π6 π7 π8
+ + +
C[1] C[2] C[3] C[4]
19 / 24
Results: Using AES-NI on Intel Sandy Bridge
102 103 1040
2
4
6
8
10
12
message length (bytes)
cycles
per
byte
CTRCOPECOPA
McOE-GTC1TC3
MCBC
20 / 24
Summary
1 COPE: first parallelizable, online cipher
2 COPA: misuse resistant authenticated encryption (withassociated data)
efficientsecurity reduction to block cipherCAESAR submission
21 / 24
COPE
M [1] M [2] M [3] M [4]
+ + + +
EK EK EK EK
20 · 3L 21 · 3L 22 · 3L 23 · 3L
EK EK EK EK
+ + + +21L 22L 23L 24L
+ + + +L
C[1] C[2] C[3] C[4]L := EK(0)
22 / 24
Associated Data in COPA
A[1] A[2] A[3] A[4]
+ + + +33L 2 · 33L 22 · 33L 23 · 34L
EK EK EK
+ + +
EK
V
23 / 24
Results
Table : Software performance of (authenticated) online ciphers based onthe AES on the Intel Sandy Bridge platform (AES-NI). All numbers aregiven in cycles per byte (cpb).
message length (bytes)
Algorithm 128 256 512 1024 2048 4096 8192
CTR 1.74 1.27 1.05 0.93 0.86 0.83 0.82TC1 9.00 8.75 8.65 8.60 8.56 8.56 8.56TC3 9.08 8.82 8.72 8.67 8.63 8.63 8.62MCBC 11.66 11.00 10.68 10.52 10.44 10.40 10.38COPE 2.56 2.08 1.89 1.78 1.72 1.70 1.69
McOE-G 10.85 9.73 9.14 8.90 8.74 8.69 8.66COPA 3.78 2.85 2.31 2.06 1.94 1.88 1.85
24 / 24