1
HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption
Tetsu Iwata (Nagoya University, Japan)Kan Yasuda (NTT Corporation, Japan)FSE 20092009 Feb. 25, Leuven, Belgium
2
Table of contents
Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV
HBS (Hash Block Stealing) How it works Its efficiency and security
3
Background (AE)
Blockcipher modes of operation Two goals:
To establish authenticity (data integrity)
To preserve privacy (data confidentiality)
Authenticated Encryption (AE) Concurrently achieves the two goals
4
Background (AE, nonce-based) AE
CCM, GCM, OCB, … Usually uses a randomized salt or state-depe
ndent value Formalized as nonce-based AE [Rogaway 2001,
2002, 2004] Nonce
Never repeat the same value, or lose all security
5
Table of contents
Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV
HBS (Hash Block Stealing) How it works Its efficiency and security
6
Background (DAE)
Nonce misuse Settled by Deterministic Authenticated
Encryption (DAE)[Rogaway – Shrimpton 2006]
DAE “Secure” even if the same value is use
d (all an adversary can do is to detect the repetition)
7
Background (How DAE works) Deterministic algorithms Encryption
Input: (Header H, Message M) Output: (Tag T, Encrypted Msg C)
Decryption Verifies (H, T, C) Outputs either or M
8
Security definition of DAE
Enc
H, M
T, C
Adversaries
Cannotdistinguish
?Dec
H, T, C
/ M
Random
H, M
$$$
H, T, C
Real Ideal
9
Table of contents
Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV
HBS (Hash Block Stealing) How it works Its efficiency and security
10
SIV mode of operation
A concrete DAE mode [Rogaway – Shrimpton Eurocrypt 2006]
“MAC-then-Encrypt” Entirely blockcipher-based
Uses CMAC* (vectorized CMAC) for authentication
Uses CTR mode for encryption Requires two keys
12
Table of contents
Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV
HBS (Hash Block Stealing) How it works Its efficiency and security
13
HBS (Hash Block Stealing)
The HBS mode Single-key Also “MAC-then-Encrypt” style New polynomial-hashing for
MAC “Odd” CTR (counter) mode for
Enc
14
Vector-input (VI) polynomial hashing
Motivation: Two different inputs (H,M) (H’,M’) We may have H || M = H’ || M’ Cannot use string-input polynomial hash
New notion: VI-–AXU hash functionFor any (H,M) (H’,M’) and Y
Pr[ HashL(H,M) HashL(H’,M’)=Y] ≤
Pr is over random hash keys L
15
How to construct VI--AXU hash Finite-field polynomial L = EK(0n) is the hashing key For header H = H0H1H2 and
message M = M0M1M2
hash value S = L7 L5H0 L3H1 LH2
L8 L6M0 L4M1 L2M2
Use odd for header and even for message Note the additional leading terms
16
Produce tag and “Steal” hash
PolynomialHash
HeaderMessage
Tag
EK
S
Steal the hash “block”and use it as IV
for the CTR mode
17
“Odd” CTR mode
M0
EK
S <1>
C0
M1
EK
S <2>
C1
M2
EK
S <3>
C2
XOR<x> Integer x rep. as bit string
Necessary forthe securityof HBS
18
Table of contents
Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV
HBS (Hash Block Stealing) How it works Its efficiency and security
19
Efficiency comparison
SIV HBS# of blockcipher keys
2 1
# of calls to blockcipher
h + 2m + 2
m + 2
# of multiplications
0 h + m + 2
Header h blocks, message m blocks
20
Security of HBS mode
Secure under the assumption that the blockcipher E is a SPRP
Security theorem:AdvDAE(HBS) ≤ AdvSPRP(E) + 33q2(1+h+2m)2/2n
q max # of queries h max length of each header m max length of each message