Modern authenticated encryption

(1)

Modern authenticated encryption

Joan Daemen

STMicroelectronics and Radboud University

Zagreb 2O16

(2)

Outline

1

Authenticated encryption: what and why

2

An ideal AE scheme

3

Making it practical

4

Dealing with usage wishes and worries

5

Keyak and Ketje

6

Nonceless AE: Haddoc

(3)

Authenticated encryption: what and why

What is authenticated encryption (AE)?

Messages and cryptograms

M= (AD, P)message with associated data and plaintext

Mc= (AD, C, T)cryptogram with assoc. data, ciphertext and tag

All of

M

is authenticated but only

P

is encrypted

wrapping: MtoMc unwrapping:MctoM

Symmetric cryptography: same key used for both operations

Authentication aspect

unwrapping includes veriﬁcation of tagT if not valid, it returns an error⊥

(4)

The CAESAR competition

Public competition for AE schemes

consortium from academia and industry aims for portfolio instead of single winner CAESAR committee (secretary Dan Bernstein)

Timeline

submission deadline: March 15, 2014 3 rounds foreseen

end of round 1: July 7, 2015 target end date: December 2017

Status:

Round 1: 57 candidates Round 2: 29 left

(5)

CAESAR 2nd round candidates

7 points! Singapore Hongjun Wu (& co) 4,Jean, Nikolic & Peyrin 3 5 points! Belgium COSIC team 2, FX Standaert& co,Keccak team 2 3 points! California Rogaway, Krovetz & co 3

Japan NTT & co team, Minematsu, NEC & co team 2 points! India Nandi & co 2

Switzerland Aumasson & co, EPFL team 1 point Luxembourg Biryukov & Khovratovich

Germany Lucks & co from Weimar

Austria Mendel, Schläﬀer & co from IAIK Graz Poland Morawiecki, Gaj, Pieprzyk & co Macedonia Danilo Gligoroski& co

Finland Markku Saarinen

(6)

Limitations of AE

No protection against traﬃc analysis

AE does not hide length and number of messages

to be addressed separately: random padding and dummy messages

Determinism: equal messages lead to equal cryptograms

information leakage concern of replay attacks

solution: ensure message uniqueness at wrapping end include nonceNin input when wrapping

wrapping becomes stateful a simple message counter suﬃces From now on we always include a nonceN

(7)

Functional behaviour

Wrapping:

state: K and past noncesN input:M= (N, AD, P) output: C, T or⊥ processing:

if(N∈ N )return⊥

else add N toN and returnC, T←Wrap[K](N, AD, P)

Unwrapping:

state: K

input:Mc= (N, AD, C, T) output: P or⊥

processing:

(8)

Sessions

Session: tag in cryptogram authenticates also previous messages

full sequence of messages since the session started

Additional protection against:

insertion,

omission,

re-ordering of messages within a session

Attention point: last message of session

Alternative views:

split of a long cryptogram in shorter ones intermediate tags

See

[Bellare, Kohno and Namprempre, ACM 2003]

,

[Keccak Team, SAC 2011]

,

[Boldyreva, Degabriele, Paterson, Stam, EC 2012]

and

[Hoang, Reyhanitabar, Rogaway and Vizár, 2015]

(9)

Functional behaviour, with sessions

K, N 1 AD(1) P(1) C(1) T(1) AD(2) P(2) C(2) T(3) AD(3) P(3) C(3) T(2)

Session start: creation of stateful session object D

if(N∈ N )(past nonces) return⊥

else add N toN and create D withState←Start(K, N)

Wrapping

returnC(i),T(i)←D.Wrap(AD(i),P(i)) this updatesState

Unwrapping

returnD.Unwrap(AD(i)_,_C(i)_,_T(i)₎_:_P(i)_or_⊥ in case of no error, this updatesState

(10)

Why (session-based) authenticated encryption?

Convenience

often both are conﬁdentiality and integrity are needed one scheme to choose instead of two

Eﬃciency

combination can be more eﬃcient than sum of the two, e.g., CBC encryption and CMAC: 2 block cipher calls per input block OCB3 AE: 1 block cipher call per input block

sponge-based AE: 1 permutation call per input block

Reduction of attack surface

diﬀerential attacks limited to session setup due to nonce chosen ciphertext attacks ineﬀective due to⊥

Increase of robustness against fault attacks

in wrap due to nonce requirement

(11)

An ideal AE scheme

Outline

1

Authenticated encryption: what and why

2

An ideal AE scheme

3

Making it practical

4

Dealing with usage wishes and worries

5

Keyak and Ketje

6

Nonceless AE: Haddoc

(12)

An ideal AE scheme

Underlying primitive: random oracle

RO

output lengthℓimplied by the context

ROe(·) = RO(·||1)for encryption

ROa(·) = RO(·||0)for tag computation

Wrapping

if(N∈ N )it return⊥ C← ROe(K||N||AD)⊕P T← ROa(K||N||AD||P)

Unwrapping

P← ROe(K||N||AD)⊕C T′ ← ROa(K||N||AD||P)

If(T′ ̸=T)return⊥, else return P

(13)

An ideal AE scheme

Ideal AE scheme, now supporting sessions

Starting the session

if(N∈ N )it return⊥ History←K||N

Wrapping of

M

(i)

_{= (}

_AD

(i)

_,

_P

(i)

₎

History←History||AD(i)||1 and thenC(i)← RO(History)⊕P(i) History←History||P(i)_||₀ _{and then}_T(i)_{← RO(}_History₎ return(C(i)_,_T(i)₎

Unwrapping of

M

(i)c

= (

AD

(i)

,

C

(i)

,

T

(i)

)

save current state in case of error:S′←History

History←History||AD(i)||1 and thenP(i)_{← RO(}_History₎_⊕_C(i) History←History||P(i)||0 and thenτ← RO(History)

if(τ=T(i)₎_{return P}(i)_,

elseHistory←S′and then return⊥

(14)

Security of our ideal AE scheme

Attack model: adversary can adaptively query:

Start, respecting nonce uniqueness (not counted), D.Wrap (qwtimes) and D.Unwrap (qutimes) RO(x): n times

Input to

RO(

K

||·)

never repeats: outputs are uniformly random

intra-session: each input toROis longer than previous one inter-session: ﬁrst part ofROinput(N, K)never repeated So cryptograms C(i)_{and tags T}(i)_{are uniformly random}

(15)

An ideal AE scheme

Security of our ideal AE scheme (cont’d)

Forgery:

building sequence of valid cryptograms Mc(1). . . M(ℓ)c not obtained from calls to wrap for some M(1). . . M(ℓ)

Privacy break:

learning on plaintext bits of M(ℓ)c without unwrapping all of M(1)c . . . Mc(ℓ)

Complete security breakdown: key recovery

single target key: getting one speciﬁc key

(16)

Security of our ideal AE scheme (cont’d 2)

Forgery

best strategy: send random but well-formatted cryptograms success probability for quattempts: qu2−|T|

Privacy break

best strategy at unwrap: send cryptograms with modiﬁed Cior Ti success probability for quattempts: qu2−|T|

Key retrieval

best strategy: exhaustive key search

single target: success probability for n key guesses≈n2−|K| multi-target: success probability for n key guesses≤ (m+1)n2−|K| Countermeasure against multi-target security erosion: global nonce

Summary:

1 out of m keys recovery after 2|K|−log2(m+1)_{oﬄine calls to}RO(·) single privacy break/forgery after 2|T|online calls to D.Unwrap

(17)

Making it practical

Outline

1

Authenticated encryption: what and why

2

An ideal AE scheme

3

Making it practical

4

Dealing with usage wishes and worries

5

Keyak and Ketje

6

Nonceless AE: Haddoc

(18)

Intermezzo: the sponge

M pad trunc Z outer inner 0 0 r c f f f f f f absorbing squeezing

Arbitrary input and output length

Parameters: rate r and capacity c with r

+

c

=

b (width)

Proven security strength when input M starts with long key:

expected workload to distinguish fromROis 2c−ϵcalls to f deals with average behaviour over all possible f of width b f should be designed such that there are no better attacks

(19)

Making it practical

Instantiating our ideal AE scheme

Replace

RO

by a sponge function (e.g. Keccak)

Due to security proof

[Andreeva, Daemen, Mennink, Van Assche FSE 2015]

:

key recovery: min(2|K|−log2m,2c−ϵ)oﬄine calls to Keccak-f privacy break/forgery: min(2|T|,2c/2)online calls to Keccak-f . . . assuming f (e.g., Keccak-f) has no exploitable properties

Practical scheme?

Historyincludes all previous messages storing it may require huge buﬀer

Practical scheme!

sponge variant operating sequentially on a b-bit state S

at any point S: collision-resistant keyed hash ofHistory

(20)

Instantiating our ideal AE scheme

Replace

RO

by a sponge function (e.g. Keccak)

Due to security proof

[Andreeva, Daemen, Mennink, Van Assche FSE 2015]

:

key recovery: min(2|K|−log2m,2c−ϵ)oﬄine calls to Keccak-f privacy break/forgery: min(2|T|,2c/2)online calls to Keccak-f . . . assuming f (e.g., Keccak-f) has no exploitable properties

Practical scheme?

Historyincludes all previous messages storing it may require huge buﬀer

Practical scheme!

sponge variant operating sequentially on a b-bit state S at any point S: collision-resistant keyed hash ofHistory instantiations: our CAESAR submissions Keyak and Ketje

(21)

Making it practical

Intermezzo: full-state keyed duplex (FSKD)

0 f init K σ0 Z0 outer inner f duplexing σ1 Z1 f duplexing σ2 Z2 …

Duplex: alternating absorbing and squeezing

Full-state absorbing (b bits instead of r bits)

Security proof in

[Mennink, Reyhanitabar and Vizár, 2015]

relies on[Andreeva, Daemen, Mennink, Van Assche FSE 2015]

(22)

Advantages of sponge-based AE

Smaller surface for cryptanalysis than block-cipher modes

there are no round keys

evolving state during session: moving target

Cheaper protection against side channel attacks

DPA and DEMA limited to session setup due to nonce unicity moving target during session

(23)

Dealing with usage wishes and worries

Outline

1

Authenticated encryption: what and why

2

An ideal AE scheme

3

Making it practical

4

Dealing with usage wishes and worries

5

Keyak and Ketje

6

Nonceless AE: Haddoc

(24)

Wish for being online

Online: being able to wrap or unwrap a message on-the-ﬂy

Avoid having to buﬀer long messages

Online unwrapping implies returning unveriﬁed plaintext

but security of our scheme relies on it

two ways to tackle this problem

Tolerating Release of Unveriﬁed Plaintext (RUP)

catastrophic fragmentation attack[Albrecht et al., IEEE S&P 2009]

add security notions and attacks[Andreeva et al., ASIACRYPT 2014]

try to satisfy (some of) these: costly

Our solution:

address this with sessions

split long cryptogram into short ones, each with tag shorten cryptograms til they ﬁt the unwrap buﬀer

(25)

Wish for surviving sloppy nonce management

Our assumption: K, N is unique per (wrapping) Session Start

users/implementers do not always respect this wish to limit consequences of nonce violation

All online AE schemes leak in case of nonce violation

equality of ﬁrst messages of session leaks in any case stream encryption: re-use of keystream

block encryption: just equality of block(s) leaks low entropy plaintexts become an issue

successful active attacks for quasi all proposed schemes

Consensus among experts on following:

ideal security in case of nonce misuse hard to deﬁne user shall be warned to not allow nonce violation

calling an AE scheme nonce-misuse resistant gives wrong message

Our stance:

there is no excuse for nonce violation

(26)

Wish for parallelism

Many CAESAR submissions use AES

Modern CPUs have dedicated AES instruction, e.g. AES-NI on Intel

pipelining: 1 cycle per round but latency of 8 to 16 cycles

performing a single AES: 80 cycles performing 8 independent AES: 88 cycles

Expoiting the pipeline requires ability to parallelize

Also non-AES based schemes can beneﬁt from parallelism, e.g.

pipelined architectures

superscalar architectures SIMD instructions

(27)

Wish for lightweight

Whole world of buzzwords:

IoT, Smart Grid, RFID, ad-hoc sensor and body area network, …

Strongly constrained resources

low area: reduce chip cost low power: RF powered low energy: battery-life

Speciﬁc conditions

short messages transaction time, …

Compromising on

target security strength provable security of mode

consequences of improper usage, …

Hence:

Ketje is dedicated for lightweight

(28)

Outline

1

Authenticated encryption: what and why

2

An ideal AE scheme

3

Making it practical

4

Dealing with usage wishes and worries

5

Keyak and Ketje

6

Nonceless AE: Haddoc

(29)

Keyak and Ketje

Keyak

[Keccak team+Ronny Van Keer]

AE scheme submitted to CAESAR (tweaked for round 2)

Permutation-based mode called

Motorist

Makes use of Keccak-p permutations

Keccak-p: reduced-round version of Keccak-f Keccak-f: permutations underlying Keccak

all 6 functions in SHA-3 based on Keccak-f[1600](24 rounds)

Generic deﬁnition with 5 parameters

c

capacity

τ

tag length

b

width of Keccak-p

n

r

number of rounds in Keccak-p

(30)

Keyak named instances

5 named instances with c

=

256,

τ

=

128, n

r

=

12 Eﬃciency:

Short messages:Π calls to Keccak-p Long messages: twice as fast as SHAKE128

Name

Width b

Parallelism

Π

River Keyak

800

1 Lake Keyak

1600

1 Sea Keyak

1600

2 Ocean Keyak

1600

4

(31)

Keyak and Ketje

The Motorist mode of use

0 _SUV

1

T(0)

SUV = Secret and Unique Value

Plaintext absorbed in outer part, AD in inner part also

Tag and keystream from same output block Z

i

Speciﬁed in three layers:

Piston:Π of them, each one an FSKD

Engine: ﬁnite state machine steering the Piston(s)

(32)

The Motorist mode of use

0 _SUV 1 T(0) A(1) P(1) C(1) T(1)

SUV = Secret and Unique Value

Plaintext absorbed in outer part, AD in inner part also

Tag and keystream from same output block Z

i

Speciﬁed in three layers:

(33)

Keyak and Ketje

The Motorist mode of use

0 _SUV 1 T(0) A(1) P(1) C(1) T(1) P(2) C(2) T(2)

SUV = Secret and Unique Value

Plaintext absorbed in outer part, AD in inner part also

Tag and keystream from same output block Z

i

Speciﬁed in three layers:

(34)

The Motorist mode of use

0 _SUV 1 T(0) A(1) P(1) C(1) T(1) P(2) C(2) T(2) A(3) T(3)

SUV = Secret and Unique Value

Plaintext absorbed in outer part, AD in inner part also

Tag and keystream from same output block Z

i

Speciﬁed in three layers:

(35)

Keyak and Ketje

Ketje

[Keccak team+Ronny Van Keer]

AE scheme submitted to CAESAR (made it to round 2)

Two instances

Functionally similar to Keyak

Lightweight:

using reduced-round Keccak-f[400]or Keccak-f[200]

small footprint

low computation for short messages

How?

96-bit or 128-bitsecurity (incl. multi-target) more ad-hoc: monkeyDuplex instead of FSKD reliance on nonce uniqueness for key protection

(36)

Ketje instances and lightweight features

feature

Ketje Jr

Ketje Sr

state size

25 bytes

50 bytes

block size

2 bytes

4 bytes

processing

computational cost

session start

per session

12 rounds

wrapping

per block

1 round

8-byte tag comp.

per message

9 rounds

7 rounds

More on Ketje and Keyak:

http://ketje.noekeon.org

http://keyak.noekeon.org

(37)

Keyak and Ketje

Keyak and Ketje in absence of nonces

Keyak may leak plaintext information

XOR of 1st diﬀering plaintext blocks in otherwise identical sessions

Ketje may break down completely

(38)

Outline

1

Authenticated encryption: what and why

2

An ideal AE scheme

3

Making it practical

4

Dealing with usage wishes and worries

5

Keyak and Ketje

6

Nonceless AE: Haddoc

(39)

Nonceless AE: Haddoc

Haddoc: the concept

AD P

PRF K CTR

T C

Permutation-based variant of SIV

[Rogaway, Shrimpton 2006]

Nonceless

Leakage limited to:

length of messages

(40)

Inside Haddoc: the donkeySponge PRF

Absorbing phase exploits state secrecy

[DR, Pelican, 2005]

:

usage of full state width b

ninit=2: make all state bits depend on the key

nabsorb=6: limitmax DPto prevent state collisions

(41)

Nonceless AE: Haddoc

Building blocks of Haddoc

PRF: donkeySponge with

input K: key

input M: injective coding of(AD, P) output T=⌊Z⌋256

CTR: sponge in counter mode

single-block in- and outputs Zi=sponge(K||T||i) Ci=Mi⊕Zi nr=12

Permutations

Keccak-p[1600, nr] Keccak-p[800, nr]

(42)

Haddoc features

Processing:

long messages: about 70 % of SHAKE128 short messages: 26 rounds

if P is absent we get a MAC function: long messages: about 21 % of SHAKE128 short messages: 14 rounds

Advantages

decryption: random access encryption: PRF parallelizable

Disadvantages

encryption strictly two-pass

(43)

Robust AE: Mr. Monster Burrito

Outline

1

Authenticated encryption: what and why

2

An ideal AE scheme

3

Making it practical

4

Dealing with usage wishes and worries

5

Keyak and Ketje

6

Nonceless AE: Haddoc

(44)

Mr. Monster Burrito: the concept

P ₀ B C TW K C P _0? B-1

Robust AE

[Rogaway, ACNS 2014]

inspired by AEZ[Hoang, Krovetz, Rogaway, Shrimpton 2014]

wide tweakable block cipher

variable key-, tweak- and blocksize: |K|,|TW|and|B|

Best possible forgery resistance for given message expansion

(45)

Inside Mr. Monster Burrito

Pʹ_left Pʹ_right K TW F 1 F₂ F₃ F 4 C_left C_right

Based on

[Naor Reingold 1997]

,

thanks[DJB, Tenerife 2013]

F2and F3: PRF

(46)

Building blocks of Mr. Monster Burrito

Asymmetric Feistel: right part is single block

F

i

: donkeySponge instances as in Haddoc PRF

F

i

input:

K: key

M: injective coding of(|B|,TW, Sleft/right,i)

F

i

output length:

F1, F3and F4: single-block

F2: same length as left part

Permutations

Keccak-p[1600, nr]

(47)

Mr. Monster Burrito features

Processing

block length above rate: close to 100% of SHAKE128 short block length: 56 rounds

Advantages

minimum data expansion for given anti-forgery level can even exploit redundancy in plaintext