security analysis of hyena authenticated encryption mode · security statement for hyena. main...
TRANSCRIPT
Security Analysis of HyENA Authenticated Encryption Mode
A.Chakraborti*, N.Datta, A.Jha, S.Mitragotri, M.Nandi
*NTT Secure Laboratories, Japan Indian Statistical Institute, Kolkata, India
Nov 06, 2019
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 1 / 25
Introduction
Motivation
Designing Lightweight Authenticated Encryption
Full Rate.
Small state size.
Small additional operations (constant mult, xor etc).
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 2 / 25
Use feedback based sequential block-cipher (n-bit) mode. State size: block-cipher state + additional auxiliary (masking) state.
N EK γ0 EK γ1 γa−1 EK Y [a]
A[0]
S[0]
A[1]
S[1]
A[a− 1]
S[a− 1]
Y [0] X[1] Y [1] · · ·
Y [a] ρ0 EK ρ1 ρm−1 EK T
M [0] C[0] M [1] C[1] M [m− 1] C[m− 1]
S[a] S[a+ 1] S[a+m− 1]
X[a+ 1] Y [a+ 1] · · ·
Figure: HyENA authenticated encryption mode for full data blocks.
Introduction
Typical Design Choice
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 3 / 25
Choice of Feedback Functions
X[i− 1]
M [i] X[i]
EK
⊕
C[i]
X[i− 1]
M [i]
X[i]
EK
⊕
C[i]
X[i− 1]
M [i] dX[i]e
EK
⊕
C[i]
Introduction
Figure: Classical Feedback Functions: PFB, OFB, CFB.
Requires at least n-bit additional masking states for security of the mode.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 4 / 25
Choice of Feedback Functions
X[i− 1]
M [i] X[i]
EK
G
⊕⊕
C[i]
Introduction
Figure: Combined Feedback Functions: CoFB [Chakraborti et al.]
How small can we go? Requires only n/2-bit additional masking states.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 5 / 25
Choice of Feedback Functions
X[i− 1]
M [i] X[i]
EK
G
⊕⊕
C[i]
Introduction
Figure: Combined Feedback Functions: CoFB [Chakraborti et al.]
Observation: 2n-bit XORs for the feedback function.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 6 / 25
Introduction
Choice of Feedback Functions
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
Figure: Hybrid Feedback Functions (HyFB): (PFB, CFB), (OFB, CFB), (PFB, OFB).
Hybrid combination of classical feedbacks.
Only n-bit XORs for the feedback function.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 7 / 25
Introduction
Choice of Feedback Functions
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
X[i− 1]
M [i] dX[i]e
bX[i]c
EK
⊕
C[i]
Figure: Hybrid Feedback Functions (HyFB): (PFB, CFB), (OFB, CFB), (PFB, OFB).
Can we go even smaller? Design a feedback-baced AE with HyFB function and maximum n/2-bit additional masking states.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 8 / 25
X[0] EK HyFB+ EK HyFB+ HyFB+ X[a]
A[0]
2∆
A[1]
22∆
A[a− 1]
3 · 2a−1∆
Y [0] X[1] Y [1] · · ·
X[a] EK HyFB+ EK HyFB+ HyFB+ X[a + m]
M [0] C[0] M [1] C[1] M [m− 1] C[m− 1]
3 · 2a∆ 3 · 2a+1∆ 32 · 2a+m−2∆
Y [a] X[a + 1] Y [a + 1] · · ·
EK TdX[a + m]ebX[a + m]c
Specification
Concrete Specification of HyENA AE Mode
Figure: HyENA Authenticated Encryption Mode. Here X [0] = Nk030kb0kb1, Δ = dY [0]e.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 9 / 25
Specification
Remark
This version of HyENA differs from the NIST Lightweight submitted version only in the masking of the final associated data.
This modification ensures identical AD and message processing, and achieves better hardware performance.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 10 / 25
Choice of HyFB Function
dY e
bY c
⊕ dXe
dMe dCe
⊕ ⊕ bXc
bCc bMc ∆
dY e
bY c
⊕ dXe
dMe dCe
⊕ ⊕ bXc
bCc bMc ∆
Specification
(a) HyFB+ module. (b) HyFB- module.
Figure: HyFB module of HyENA for full data blocks. The number of XOR count is equals to 3n/2.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 11 / 25
Choice of Feedback Functions
dY e
bY c
⊕ dXe
dMe dCe
Pad Trunc
⊕ bXc
⊕ ⊕bCcbMc
∆
b·cd·e
‖
10∗
dY e
bY c
dXe
⊕ ⊕dMe
dCe
d·e b·c
‖
10∗
⊕ ⊕ bXc
bCc bMc ∆
TruncPad
Specification
(a) HyFB+ module. (b) HyFB- module.
Figure: HyFB module of HyENA for partial data blocks.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 12 / 25
Security
Security Statement for HyENA
Main Theorem
� � σe nqe nσv 0 AdvAE , σe , σv , t) ≤ Advprp (q , t 0) + O + + . HyENA(qe , qv EK 2n/2 2n/2 2n/2
where q0 = qe + σe + qv + σv which corresponds to the total number of block cipher calls through the game and t 0 = t + O(q0).
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 13 / 25
Security
Overall Approach
V = Vgood t Vbad
ipreal(τ) or ipideal(τ ): Prob to realize view τ when interacting with the real or ideal resp.
Coefficients-H Technique
If the following two holds:
In the ideal oracle, the probability of getting a view in Vbad is at most �bad .
For any view τ ∈ Vgood, we have
ipreal(τ) ≥ (1 − �ratio ) · ipideal(τ)
then | Pr[AO0 = 1] − Pr[AO1 = 1]| ≤ �bad + �ratio .
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 14 / 25
Security
Notations
Init: Initial State
IS: Intermediate State
Final: Final State
+: Encryption query
-: Forging query
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 15 / 25
Security
Bounding the BAD Views
Bounding COLL(IS+ , IS+)
X + [j ] = X + [j 0]. i i 0
Two non-trivial linear equations: One on dY + [j − 1]e and dY + [j 0 − 1]e, i i 0
Other on Δ+ i and Δ+
i 0 .
Each probability 21 n . � �
Total number of pairs σ2 e .
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 16 / 25
Security
Bounding the BAD Views
Bounding COLL(Init+ , IS+)
X + [j ] = Ni 0 k032 . i
Case i ≤ i 0
Non-trivial equations on dY + [j − 1]e (upper part), i Non-trivial equations on Δ+ (lower part) i
1 Each probability . 2n � � Total number of pairs: σe . 2
Case i > i 0
Adversary can set nonce according to his choice (upper part), Non-trivial equations on Δ+ (lower part) i
1 Each probability 2n/2 .
Total number of pairs nqe (Assuming mCOLL(dC e) < n).
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 17 / 25
Security
Bounding the BAD Views
Bounding mCOLL(dC e) ≥ n
dC + [j1]e = dC + [j1]e = · · · = dC + [jn]e. i1 i1 in
1 )n−1 From the randomness of C , the probability ( 2n/2 .
Total number of pairs �σe � . n
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 18 / 25
Security
Bounding the BAD Views
Bounding COLL(Init+ , Final+)
]e = Ni 0 k032 dX + [`+ . i i
Case i ≥ i 0
Non-trivial equations on dY + [`+ − 1]e (upper part), i i Non-trivial equations on Δ+ (lower part) i
1 Each probability . 2n 2 Total number of pairs: q . e
Case i < i 0
Adversary can set nonce according to his choice (upper part), Non-trivial equations on Δ+ (lower part) i
1 Each probability 2n/2 .
nq e Total number of pairs 2
(Assuming mCOLL(X + [32..63]) < c , where 2n/4 `
nqe c = 2n/4 ).
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 19 / 25
Security
Bounding the BAD Views
nqe Bounding mCOLL(dX`e) ≥ 2n/4
1 )c−1 From the randomness of Y , the probability ( 2n/4 . � �
Total number of pairs qe . c
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 20 / 25
Security
Bounding the BAD Views
Bounding COLL(IS+ , IS−)
X − [pi + 1] = X + [j ]. i i 0
Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part) i
1 Each probability 2n/2 .
Total number of pairs: n.qv .
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 21 / 25
Security
Bounding the BAD Views
Bounding COLL(IS− , INIT +)
X − [pi + 1] = X + [0]. i i 0
Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part). i
1 Each probability 2n/2 .
Total number of pairs: qv .2n/4 .
This doesn’t provide the desired bound.
Consider the freshness of successive block.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 22 / 25
Combining all the bad views, we have �bad ≤ O�
σe
2n/2+ nqe
2n/2+ nσv
2n/2
�.
Security
Bounding the BAD Views
Bounding COLL(IS− , INIT +)
X − [pi + 1] = X + [0], X − [pi + 2] = X + i i 0 i i 00 [j ]. Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part). i
1 1 Each probability 2n/2 . 2n/2 .
Total number of pairs: 2n/4 .n.qv .
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 23 / 25
Security
Bounding the BAD Views
Bounding COLL(IS− , INIT +)
X − [pi + 1] = X + [0], X − [pi + 2] = X + i i 0 i i 00 [j ]. Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part). i
1 1 Each probability 2n/2 . 2n/2 .
Total number of pairs: 2n/4 .n.qv . � � σe nqe nσv Combining all the bad views, we have �bad ≤ O + + . 2n/2 2n/2 2n/2
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 23 / 25
Security
Bounding the Interpolation Probability for GOOD Views
1 ipideal (τ ) = 2n(σe +qe )
. � � � � 1 qv 2nσv ipreal (τ) ≥
2n(σe +qe ) 1 − O 2n +
2n/2
Combining together and using Coefficients-H Technique, the Theorem follows.
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 24 / 25
Security
Thank you
A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 25 / 25