Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main...
Transcript of Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main...
![Page 1: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/1.jpg)
Security Analysis of HyENA Authenticated Encryption Mode
A.Chakraborti*, N.Datta, A.Jha, S.Mitragotri, M.Nandi
*NTT Secure Laboratories, Japan Indian Statistical Institute, Kolkata, India
Nov 06, 2019
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 1 / 25
![Page 2: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/2.jpg)
Introduction
Motivation
Designing Lightweight Authenticated Encryption
Full Rate.
Small state size.
Small additional operations (constant mult, xor etc).
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 2 / 25
![Page 3: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/3.jpg)
Use feedback based sequential block-cipher (n-bit) mode. State size: block-cipher state + additional auxiliary (masking) state.
N EK γ0 EK γ1 γa−1 EK Y [a]
A[0]
S[0]
A[1]
S[1]
A[a− 1]
S[a− 1]
Y [0] X[1] Y [1] · · ·
Y [a] ρ0 EK ρ1 ρm−1 EK T
M [0] C[0] M [1] C[1] M [m− 1] C[m− 1]
S[a] S[a+ 1] S[a+m− 1]
X[a+ 1] Y [a+ 1] · · ·
Figure: HyENA authenticated encryption mode for full data blocks.
Introduction
Typical Design Choice
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 3 / 25
![Page 4: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/4.jpg)
Choice of Feedback Functions
X[i− 1]
M [i] X[i]
EK
⊕
C[i]
X[i− 1]
M [i]
X[i]
EK
⊕
C[i]
X[i− 1]
M [i] dX[i]e
EK
⊕
C[i]
Introduction
Figure: Classical Feedback Functions: PFB, OFB, CFB.
Requires at least n-bit additional masking states for security of the mode.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 4 / 25
![Page 5: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/5.jpg)
Choice of Feedback Functions
X[i− 1]
M [i] X[i]
EK
G
⊕⊕
C[i]
Introduction
Figure: Combined Feedback Functions: CoFB [Chakraborti et al.]
How small can we go? Requires only n/2-bit additional masking states.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 5 / 25
![Page 6: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/6.jpg)
Choice of Feedback Functions
X[i− 1]
M [i] X[i]
EK
G
⊕⊕
C[i]
Introduction
Figure: Combined Feedback Functions: CoFB [Chakraborti et al.]
Observation: 2n-bit XORs for the feedback function.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 6 / 25
![Page 7: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/7.jpg)
Introduction
Choice of Feedback Functions
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
Figure: Hybrid Feedback Functions (HyFB): (PFB, CFB), (OFB, CFB), (PFB, OFB).
Hybrid combination of classical feedbacks.
Only n-bit XORs for the feedback function.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 7 / 25
![Page 8: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/8.jpg)
Introduction
Choice of Feedback Functions
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
Figure: Hybrid Feedback Functions (HyFB): (PFB, CFB), (OFB, CFB), (PFB, OFB).
Can we go even smaller? Design a feedback-baced AE with HyFB function and maximum n/2-bit additional masking states.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 8 / 25
![Page 9: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/9.jpg)
X[0] EK HyFB+ EK HyFB+ HyFB+ X[a]
A[0]
2∆
A[1]
22∆
A[a− 1]
3 · 2a−1∆
Y [0] X[1] Y [1] · · ·
X[a] EK HyFB+ EK HyFB+ HyFB+ X[a + m]
M [0] C[0] M [1] C[1] M [m− 1] C[m− 1]
3 · 2a∆ 3 · 2a+1∆ 32 · 2a+m−2∆
Y [a] X[a + 1] Y [a + 1] · · ·
EK TdX[a + m]ebX[a + m]c
Specification
Concrete Specification of HyENA AE Mode
Figure: HyENA Authenticated Encryption Mode. Here X [0] = Nk030kb0kb1, Δ = dY [0]e.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 9 / 25
![Page 10: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/10.jpg)
Specification
Remark
This version of HyENA differs from the NIST Lightweight submitted version only in the masking of the final associated data.
This modification ensures identical AD and message processing, and achieves better hardware performance.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 10 / 25
![Page 11: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/11.jpg)
Choice of HyFB Function
dY e
bY c
⊕ dXe
dMe dCe
⊕ ⊕ bXc
bCc bMc ∆
dY e
bY c
⊕ dXe
dMe dCe
⊕ ⊕ bXc
bCc bMc ∆
Specification
(a) HyFB+ module. (b) HyFB- module.
Figure: HyFB module of HyENA for full data blocks. The number of XOR count is equals to 3n/2.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 11 / 25
![Page 12: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/12.jpg)
Choice of Feedback Functions
dY e
bY c
⊕ dXe
dMe dCe
Pad Trunc
⊕ bXc
⊕ ⊕bCcbMc
∆
b·cd·e
‖
10∗
dY e
bY c
dXe
⊕ ⊕dMe
dCe
d·e b·c
‖
10∗
⊕ ⊕ bXc
bCc bMc ∆
TruncPad
Specification
(a) HyFB+ module. (b) HyFB- module.
Figure: HyFB module of HyENA for partial data blocks.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 12 / 25
![Page 13: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/13.jpg)
Security
Security Statement for HyENA
Main Theorem
� � σe nqe nσv 0 AdvAE , σe , σv , t) ≤ Advprp (q , t 0) + O + + . HyENA(qe , qv EK 2n/2 2n/2 2n/2
where q0 = qe + σe + qv + σv which corresponds to the total number of block cipher calls through the game and t 0 = t + O(q0).
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 13 / 25
![Page 14: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/14.jpg)
Security
Overall Approach
V = Vgood t Vbad
ipreal(τ) or ipideal(τ ): Prob to realize view τ when interacting with the real or ideal resp.
Coefficients-H Technique
If the following two holds:
In the ideal oracle, the probability of getting a view in Vbad is at most �bad .
For any view τ ∈ Vgood, we have
ipreal(τ) ≥ (1 − �ratio ) · ipideal(τ)
then | Pr[AO0 = 1] − Pr[AO1 = 1]| ≤ �bad + �ratio .
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 14 / 25
![Page 15: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/15.jpg)
Security
Notations
Init: Initial State
IS: Intermediate State
Final: Final State
+: Encryption query
-: Forging query
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 15 / 25
![Page 16: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/16.jpg)
Security
Bounding the BAD Views
Bounding COLL(IS+ , IS+)
X + [j ] = X + [j 0]. i i 0
Two non-trivial linear equations: One on dY + [j − 1]e and dY + [j 0 − 1]e, i i 0
Other on Δ+ i and Δ+
i 0 .
Each probability 21 n . � �
Total number of pairs σ2 e .
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 16 / 25
![Page 17: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/17.jpg)
Security
Bounding the BAD Views
Bounding COLL(Init+ , IS+)
X + [j ] = Ni 0 k032 . i
Case i ≤ i 0
Non-trivial equations on dY + [j − 1]e (upper part), i Non-trivial equations on Δ+ (lower part) i
1 Each probability . 2n � � Total number of pairs: σe . 2
Case i > i 0
Adversary can set nonce according to his choice (upper part), Non-trivial equations on Δ+ (lower part) i
1 Each probability 2n/2 .
Total number of pairs nqe (Assuming mCOLL(dC e) < n).
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 17 / 25
![Page 18: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/18.jpg)
Security
Bounding the BAD Views
Bounding mCOLL(dC e) ≥ n
dC + [j1]e = dC + [j1]e = · · · = dC + [jn]e. i1 i1 in
1 )n−1 From the randomness of C , the probability ( 2n/2 .
Total number of pairs �σe � . n
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 18 / 25
![Page 19: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/19.jpg)
Security
Bounding the BAD Views
Bounding COLL(Init+ , Final+)
]e = Ni 0 k032 dX + [`+ . i i
Case i ≥ i 0
Non-trivial equations on dY + [`+ − 1]e (upper part), i i Non-trivial equations on Δ+ (lower part) i
1 Each probability . 2n 2 Total number of pairs: q . e
Case i < i 0
Adversary can set nonce according to his choice (upper part), Non-trivial equations on Δ+ (lower part) i
1 Each probability 2n/2 .
nq e Total number of pairs 2
(Assuming mCOLL(X + [32..63]) < c , where 2n/4 `
nqe c = 2n/4 ).
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 19 / 25
![Page 20: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/20.jpg)
Security
Bounding the BAD Views
nqe Bounding mCOLL(dX`e) ≥ 2n/4
1 )c−1 From the randomness of Y , the probability ( 2n/4 . � �
Total number of pairs qe . c
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 20 / 25
![Page 21: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/21.jpg)
Security
Bounding the BAD Views
Bounding COLL(IS+ , IS−)
X − [pi + 1] = X + [j ]. i i 0
Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part) i
1 Each probability 2n/2 .
Total number of pairs: n.qv .
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 21 / 25
![Page 22: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/22.jpg)
Security
Bounding the BAD Views
Bounding COLL(IS− , INIT +)
X − [pi + 1] = X + [0]. i i 0
Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part). i
1 Each probability 2n/2 .
Total number of pairs: qv .2n/4 .
This doesn’t provide the desired bound.
Consider the freshness of successive block.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 22 / 25
![Page 23: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/23.jpg)
Combining all the bad views, we have �bad ≤ O�
σe
2n/2+ nqe
2n/2+ nσv
2n/2
�.
Security
Bounding the BAD Views
Bounding COLL(IS− , INIT +)
X − [pi + 1] = X + [0], X − [pi + 2] = X + i i 0 i i 00 [j ]. Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part). i
1 1 Each probability 2n/2 . 2n/2 .
Total number of pairs: 2n/4 .n.qv .
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 23 / 25
![Page 24: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/24.jpg)
Security
Bounding the BAD Views
Bounding COLL(IS− , INIT +)
X − [pi + 1] = X + [0], X − [pi + 2] = X + i i 0 i i 00 [j ]. Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part). i
1 1 Each probability 2n/2 . 2n/2 .
Total number of pairs: 2n/4 .n.qv . � � σe nqe nσv Combining all the bad views, we have �bad ≤ O + + . 2n/2 2n/2 2n/2
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 23 / 25
![Page 25: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/25.jpg)
Security
Bounding the Interpolation Probability for GOOD Views
1 ipideal (τ ) = 2n(σe +qe )
. � � � � 1 qv 2nσv ipreal (τ) ≥
2n(σe +qe ) 1 − O 2n +
2n/2
Combining together and using Coefficients-H Technique, the Theorem follows.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 24 / 25
![Page 26: Security Analysis of HyENA Authenticated Encryption Mode · Security Statement for HyENA. Main Theorem σ Adv. AE,σ 0. e nq e nσ v. e,σ v, t) ≤ Adv prp (q , t 0) + O + + . HyENA](https://reader030.fdocuments.net/reader030/viewer/2022040411/5ed93e1f6714ca7f47696727/html5/thumbnails/26.jpg)
Security
Thank you
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 25 / 25