The Limited Power of Verification Queries in Message Authentication - - PowerPoint PPT Presentation

the limited power of verification queries in message
SMART_READER_LITE
LIVE PREVIEW

The Limited Power of Verification Queries in Message Authentication - - PowerPoint PPT Presentation

Jul 17, 2023 8 likes •430 views

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15 Modes of Operation p E K F K E K 2 / 15 Modes of Operation p E K F K

slide-1
SLIDE 1

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

September 29, 2015

Atul Luykx, Bart Preneel, Kan Yasuda

1 / 15

slide-2
SLIDE 2

Modes of Operation

EK

  • EK

p FK

2 / 15

slide-3
SLIDE 3

Modes of Operation

EK

  • EK

p FK AES-OTR Deoxys ASCON OMD Example:

2 / 15

slide-4
SLIDE 4

Modes of Operation

EK

  • EK

p FK AES-OTR Deoxys ASCON OMD Example: Advantage of modes: able to focus on primitive

1 Reduce security of AE scheme to that of underlying primitive 2 For AE this is done for confidentiality and authenticity

2 / 15

slide-5
SLIDE 5

Reduction Loss

1 Reduction is often not perfect, results in a loss of security 2 Loss of security quantified in terms of parameters

Table: Examples of parameters.

n Block size q Number of tagging or encryption queries k Key length ℓ Maximum message length σ Total number of encryption and decryption blocks

3 / 15

slide-6
SLIDE 6

Various AE Bounds

EK

  • EK

p f AES-OTR Deoxys ASCON OMD Example:

4 / 15

slide-7
SLIDE 7

Various AE Bounds

EK

  • EK

p f AES-OTR Deoxys ASCON OMD Example:

σ2 2n + (S)PRP σ2 2n σ2 2n + PRF

Confidentiality:

4 / 15

slide-8
SLIDE 8

Various AE Bounds

EK

  • EK

p f AES-OTR Deoxys ASCON OMD Example:

σ2 2n + (S)PRP σ2 2n σ2 2n + PRF

Confidentiality: + v

2n

+ v

2n

+ v

2n

+ v

2n

Authenticity:

4 / 15

slide-9
SLIDE 9

Improved Bounds: MAC Message Length

Much research performed reducing message length dependence from quadratic to linear for MACs: PMAC, CBC-MAC, EMAC, OMAC, TMAC ℓ2q2 2n − → ℓq2 2n

5 / 15

slide-10
SLIDE 10

Improved Bounds: MAC Message Length

Much research performed reducing message length dependence from quadratic to linear for MACs: PMAC, CBC-MAC, EMAC, OMAC, TMAC ℓ2q2 2n − → ℓq2 2n n = 128, q = 248: ℓ ≤ 215 − → ℓ ≤ 230

5 / 15

slide-11
SLIDE 11

Improved Bounds: MAC Message Length

Much research performed reducing message length dependence from quadratic to linear for MACs: PMAC, CBC-MAC, EMAC, OMAC, TMAC ℓ2q2 2n − → ℓq2 2n n = 128, q = 248: ℓ ≤ 215 − → ℓ ≤ 230 n = 128, ℓ = 215: q ≤ 248 − → q ≤ 263

5 / 15

slide-12
SLIDE 12

Improved Bounds: Permutation Based Modes

c n k security Ascon 192 128 96 96 256 64 128 128 ICEPOLE 254 1026 128 128 318 962 256 256 NORX 192 320 128 128 384 640 256 256 GIBBON/ HANUMAN 159 41 80 80 239 41 120 120

6 / 15

slide-13
SLIDE 13

Improved Bounds: Permutation Based Modes

c n k security Ascon 96 224 96 96 128 192 128 128 ICEPOLE 254 1026 128 128 318 962 256 256 NORX 192 320 128 128 384 640 256 256 GIBBON/ HANUMAN 159 41 80 80 239 41 120 120

6 / 15

slide-14
SLIDE 14

Improved Bounds: Permutation Based Modes

c n n nold k security Ascon 96 224 1.75 96 96 128 192 3 128 128 ICEPOLE 254 1026 128 128 318 962 256 256 NORX 192 320 128 128 384 640 256 256 GIBBON/ HANUMAN 159 41 80 80 239 41 120 120

6 / 15

slide-15
SLIDE 15

Improved Bounds: Permutation Based Modes

c n n nold k security Ascon 96 224 1.75 96 96 128 192 3 128 128 ICEPOLE 128 1152 1.12 128 128 256 1024 1.06 256 256 NORX 128 384 1.2 128 128 256 768 1.2 256 256 GIBBON/ HANUMAN 80 120 2.92 80 80 120 160 3.90 120 120

6 / 15

slide-16
SLIDE 16

Improved security bounds leads to

1 Better parameter choices 2 Increased longevity 3 Increased efficiency

7 / 15

slide-17
SLIDE 17

Improved security bounds leads to

1 Better parameter choices 2 Increased longevity 3 Increased efficiency

Despite advances, there is still a lot of work left.

7 / 15

slide-18
SLIDE 18

Authenticity Definition

M T

Tag

M T M ⊥

Verify

Auth(q, v): forgery success with q tagging queries and v forgery attempts

8 / 15

slide-19
SLIDE 19

Authenticity Bounds

σ2 2n − → ℓ2(q + v)2 2n

9 / 15

slide-20
SLIDE 20

Authenticity Bounds

σ2 2n − → ℓ2(q + v)2 2n

1 128 bit block cipher

ℓ2(q + v)2 2128

9 / 15

slide-21
SLIDE 21

Authenticity Bounds

σ2 2n − → ℓ2(q + v)2 2n

1 128 bit block cipher 2 Only one-block verification queries

12(0 + v)2 2128

9 / 15

slide-22
SLIDE 22

Authenticity Bounds

σ2 2n − → ℓ2(q + v)2 2n

1 128 bit block cipher 2 Only one-block verification queries

v2 2128

9 / 15

slide-23
SLIDE 23

Authenticity Bounds

σ2 2n − → ℓ2(q + v)2 2n

1 128 bit block cipher 2 Only one-block verification queries

v2 2128 vs v 2128

9 / 15

slide-24
SLIDE 24

Authenticity Bounds

σ2 2n − → ℓ2(q + v)2 2n

1 128 bit block cipher 2 Only one-block verification queries

v2 2128 vs v 2128 v = 264 : 1 vs 1 264

9 / 15

slide-25
SLIDE 25

Optimal Bound

So far only certain types of MACs have optimal bound:

1 Nonce-based 2 Multiple keys

Excludes PMAC, CBC-MAC, OMAC

10 / 15

slide-26
SLIDE 26

Optimal Bound

So far only certain types of MACs have optimal bound:

1 Nonce-based 2 Multiple keys

Excludes PMAC, CBC-MAC, OMAC For AE

1 except for TBC modes, none with optimal bounds 2 Generic composition: reduction to MAC-security

→ need optimal MACs

10 / 15

slide-27
SLIDE 27

Question

Why do well-designed schemes exhibit quadratic dependence?

11 / 15

slide-28
SLIDE 28

Question

Why do well-designed schemes exhibit quadratic dependence? Proof techniques

11 / 15

slide-29
SLIDE 29

PRF-based MAC

M T Y

PRF

12 / 15

slide-30
SLIDE 30

PRF-based MAC

M T Y

PRF

?

= M ⊥

12 / 15

slide-31
SLIDE 31

Generic Reduction

Best possible generic reduction: Auth(q, v)

13 / 15

slide-32
SLIDE 32

Generic Reduction

Best possible generic reduction: Auth(q, v) ≤

v 2τ + PRF(q + v)

13 / 15

slide-33
SLIDE 33

Generic Reduction

Best possible generic reduction: Auth(q, v) ≤

v 2τ + PRF(q + v)

PRF(q + v) ∈ Ω

  • q2+v2

2s

  • 13 / 15
slide-34
SLIDE 34

Generic Reduction

Best possible generic reduction: Auth(q, v) ≤

v 2τ + PRF(q + v)

PRF(q + v) ∈ Ω

  • q2+v2

2s

  • PMAC

v 2τ + c · ℓ(q + v)2 2n

13 / 15

slide-35
SLIDE 35

PRP-PRF Switch

PRP-PRF Switch: 0.5σ2 2n

14 / 15

slide-36
SLIDE 36

PRP-PRF Switch

PRP-PRF Switch: 0.5σ2 2n GCM with nonce length fixed to 96 bits

14 / 15

slide-37
SLIDE 37

PRP-PRF Switch

PRP-PRF Switch: 0.5σ2 2n GCM with nonce length fixed to 96 bits Confidentiality: 0.5(σ + q + 1)2 2n

  • PRP-PRF switch

14 / 15

slide-38
SLIDE 38

PRP-PRF Switch

PRP-PRF Switch: 0.5σ2 2n GCM with nonce length fixed to 96 bits Confidentiality: 0.5(σ + q + 1)2 2n

  • PRP-PRF switch

Authenticity: 0.5(σ + q + v + 1)2 2n

  • PRP-PRF switch

+v(ℓ + 1) 2τ

14 / 15

slide-39
SLIDE 39

Summary

1 Better security bounds improve longevity and efficiency of

schemes

15 / 15

slide-40
SLIDE 40

Summary

1 Better security bounds improve longevity and efficiency of

schemes

2 Many schemes exhibit a quadratic dependence on verification

queries

15 / 15

slide-41
SLIDE 41

Summary

1 Better security bounds improve longevity and efficiency of

schemes

2 Many schemes exhibit a quadratic dependence on verification

queries Conjecture: All CAESAR modes provably achieve the optimal bound.

15 / 15

slide-42
SLIDE 42

Summary

1 Better security bounds improve longevity and efficiency of

schemes

2 Many schemes exhibit a quadratic dependence on verification

queries Conjecture: All CAESAR modes provably achieve the optimal bound. Paper in the works

1 Generalizing known techniques, applied to GCM to recover

bound

2 Analyze block cipher based modes in detail, applied to PMAC

to recover bound

15 / 15