eme -a parallelizable enciphering mode fileserver... · eme -a parallelizable enciphering mode shai...
TRANSCRIPT
EME - A Parallelizable Enciphering ModeEME - A Parallelizable Enciphering Mode
Shai Halevi – IBM
Phil Rogaway – UC Davis and Chiang Mai University
Shai Halevi – IBM
Phil Rogaway – UC Davis and Chiang Mai University
Motivation: sector-level encryption
Encrypting a disk, one sector at a time— Perhaps using a low-level hardware device
— At this level, we don’t know about files, directories
— All we have is a pile of bytes (= 1 sector), and their intended location on the disk
Even worse: using fixed-size sectors (e.g., 512 bytes)— Ciphertext-length = plaintext-length
— No space for a random IV, or authentication tag
Inherent limitations
No chaining: can “mix and match”— C1 C2 … Cm is encryption of P1 P2 … Pm
— C1� C2�…Cm� is encryption of P1� P2�… Pm�
� C1 C2�…Cm is encryption of P1 P2�… Pm
Deterministic: when re-encrypting a file, we can see what sectors have changed
No authentication: any ciphertext is decrypted as “something”
The best we can do
Encryption/decryption procedures C = Enc(K, T, P), P = Dec(K, T, C)— K – key, T (tweak) – sector address
— P – plaintext, C – ciphertext
Should look like — A block cipher with block-size = sector-size
— A different key for each sector address
— The tweak is similar to “spice” in HPC [Schroeppel ’98]
A “tweakable enciphering scheme” consists of Enc(K,T,P) / Dec(K,T,C)— Denote EK(x) = Enc(K,T,x), DK(x) = Dec(K,T,x)
— K in “key space” (e.g., {0,1}n)
— T in “tweak space” (e.g., {0,1}n)
— P/C in “message space” (e.g., UmεM{0,1}m)
For any K,T— EK , DK length-preserving, DK = (EK)−1
Formally [Liskov-Rivest-Wagner`02]
T T
T T T T
Security
Attacker has access to E(t,x), D(t,x)— Either E=Enc(K,t,x), D=Dec(K,t,x)
• K fixed, random and secret
— Or for each T
• ET(x)=E(T,x) is a random permutation
• DT = (ET)−1
The attacker cannot tell which it is— Except with insignificant advantage
Tweakable enciphering modes
Building such enciphering/deciphering procedures from a block cipher with “small blocks” (e.g., AES)
When using a “good cipher” with n-bit blocks, you get (provable) security of
���������� ������������� ���������
���
“Blockwise universal hashing”: — Non-cryptographic hashing (e.g., a linear function)
— Many ways to implement, none good enough
— Can always implement using, e.g., CBC-MAC
— But then we get “three layers of encryption”
Previous solution: (Naor-Reingold ‘97)
PP = HK’(P)
CCi = EK(PPi)
C = HK’−1(CC)
��� ������������������
� �� �! �
“�����"������#� ����$��$���”
� �� �! �
“�����"������#� ����$��$���”
�%� �����$���"������ ���"�
Are two layers enough?
How about “double PCBC*”?
�
��
�!
�&
�' �' �' �'
�
��
�!
�&
�'�'�'�'
Suspicious: not even symmetric
Easy to distinguish:
•Dec: C1C2C3C4 � P1P2P3P4
•Dec: C1C2C3C4 � P1P2P3P4
•But P2⊕P2=P3 ⊕ P3=P4 ⊕ P4
( ( ( ( (
( ( (
Are two layers enough?
How about “symmetric double PCBC*”?
�
��
�!
�&
�' �' �' �'
�
��
�!
�&
�'�'�'�'
Exactly the same problem:
•Dec: C1C2C3C4 � P1P2P3P4
•Dec: C1C2C3C4 � P1P2P3P4
•But P2⊕P2=P3 ⊕ P3=P4 ⊕ P4
( ( ( ( (
( ( (
A two-layer solution that works
CMC [HR’03]— CBC-Mask-CBC
— M = 2 Σi PPPi = 2 Σi CCCi
Inherently sequential— Because of CBC
How to design aparallelizable mode?
�
��
�!
�&
�&
�!
��
�
M
�' �' �' �'
�' �' �' �'
���
���&
����
���!
���&
���
���!
����
M M M
EK�(T)
EK�(T)
Parallelizable mode: first try
Replace CBC with masked-ECB
Thm: Insecure if mixing is linear
Even if …— mixing is key-dependent
— we ignore the tweak
— each EK uses a different key
Inspired by an attack of [Joux03]
�
��
�!
�&
�
��
�!
�&
�' �' �' �'
�' �' �' �'
���
���&
����
���!
���
���&
����
���!
L 2L 4L 8L
Very simple mixing
L 2L 4L 8L
Why linear mixing does not work
Enc: P1 P2 P3 P4 � C1 C2 C3 C4
Enc: P�1P2 P3 P4 � C�1C�2C�3C�4
Dec: C�1C2 C3 C4 � P1 P2 P3 P4
Dec: C1 C�2C�3C�4 � P�1P2 P3 P4
The last two plaintext sectors agree on P2 .. P4
�
��
�!
�&
�
��
�!
�&
�' �' �' �'
�' �' �' �'
���
���&
����
���!
���
���&
����
���!
L 2L 4L 8L
linear mixing
L 2L 4L 8L
* * * *
***�
EME, a parallelizable mode
Masking as before— L = 2EK(0)
Use block cipher also in middle— SP = Σi>1 PPPi
— M = MP ⊕ MC
— SC = Σi>1 CCCi
�
��
�!
�&
�
��
�!
�&
L
�' �' �' �'
�' �' �' �'
���
���&
����
���!
���
���&
����
���!
2L 4L 8L
L 2L 4L 8L
�' 2M 4M 8M
T⊕SP)�
)�
T⊕SC
EME, some comments
Using just one key of the underlying cipher
All the block-cipher calls are in the same direction— Only block-encrypt for encipher, only block-decrypt for decipher
2m+1 block-cipher calls for an m-block sector
Only works for m <= n— E.g., with AES, can only support up to 128 blocks (2KB)
— We can prove that EME is insecure when m > n+1
— But it can be extended (EME+) to support longer sectors
Security of EME
Want to prove: EME is secure— Strong tweakable PPR, EncK(x),DecK(x) ~ random π(x), π-1(x)
If the underlying cipher E is secure— In the same sense (but with no tweak)
Sufficient to prove security when the underlying cipher is trulyrandom— Extension to an underlying “pseudorandom cipher” is trivial
T T
Some intuition
Think of EK as random— M “random function” of P1..P4, T
— CCC1..CCC4 never used before
— C1..C4 are random
— Same for decryption
Very partial intuition— Won’t explain why linear
mixing does not work
�
��
�!
�&
�
��
�!
�&
L
�' �' �' �'
�' �' �' �'
���
���&
����
���!
���
���&
����
���!
2L 4L 8L
L 2L 4L 8L
�' 2M 4M 8M
)�
)�
T⊕SP
T⊕SC
Security statement
An attacker that makes queries totaling q blocks, has advantage at most 7 ×××× q2/2n
Assumes that underlying cipher is a truly random permutation— Extending to pseudorandom is straightforward
The attacker is allowed to mix queries of different lengths— I.e., proven security is for a VIL enciphering mode
Proving security
The proof is long and technical
Most effort invested in proving “no accidental collisions”— This is done via case-analysis
— But it takes a while to get there
— Only small part of the proof is in the proceedings
— The rest in the full version (on ePrint)
Summary
EME, a parallelizable, tweakable enciphering mode— Can be used for sector-level encryption
As efficient as the (inherently sequential) CMC— 2m+1 block-cipher calls for an m-block sector
Works for sectors of size up-to 2KB— Extension EME+ can handle sectors of any size
Full version available on ePrint, http://eprint.iacr.org/2003/147