hbs: a single-key mode of operation for deterministic authenticated encryption
DESCRIPTION
HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption. Tetsu Iwata (Nagoya University, Japan) Kan Yasuda (NTT Corporation, Japan) FSE 2009 2009 Feb. 25, Leuven, Belgium. Table of contents. Background and motivation Authenticated encryption (AE) - PowerPoint PPT PresentationTRANSCRIPT
1
HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption
Tetsu Iwata (Nagoya University, Japan)Kan Yasuda (NTT Corporation, Japan)FSE 20092009 Feb. 25, Leuven, Belgium
2
Table of contents
Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV
HBS (Hash Block Stealing) How it works Its efficiency and security
3
Background (AE)
Blockcipher modes of operation Two goals:
To establish authenticity (data integrity)
To preserve privacy (data confidentiality)
Authenticated Encryption (AE) Concurrently achieves the two goals
4
Background (AE, nonce-based) AE
CCM, GCM, OCB, … Usually uses a randomized salt or state-depe
ndent value Formalized as nonce-based AE [Rogaway 2001,
2002, 2004] Nonce
Never repeat the same value, or lose all security
5
Table of contents
Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV
HBS (Hash Block Stealing) How it works Its efficiency and security
6
Background (DAE)
Nonce misuse Settled by Deterministic Authenticated
Encryption (DAE)[Rogaway – Shrimpton 2006]
DAE “Secure” even if the same value is use
d (all an adversary can do is to detect the repetition)
7
Background (How DAE works) Deterministic algorithms Encryption
Input: (Header H, Message M) Output: (Tag T, Encrypted Msg C)
Decryption Verifies (H, T, C) Outputs either or M
8
Security definition of DAE
Enc
H, M
T, C
Adversaries
Cannotdistinguish
?Dec
H, T, C
/ M
Random
H, M
$$$
H, T, C
Real Ideal
9
Table of contents
Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV
HBS (Hash Block Stealing) How it works Its efficiency and security
10
SIV mode of operation
A concrete DAE mode [Rogaway – Shrimpton Eurocrypt 2006]
“MAC-then-Encrypt” Entirely blockcipher-based
Uses CMAC* (vectorized CMAC) for authentication
Uses CTR mode for encryption Requires two keys
12
Table of contents
Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV
HBS (Hash Block Stealing) How it works Its efficiency and security
13
HBS (Hash Block Stealing)
The HBS mode Single-key Also “MAC-then-Encrypt” style New polynomial-hashing for
MAC “Odd” CTR (counter) mode for
Enc
14
Vector-input (VI) polynomial hashing
Motivation: Two different inputs (H,M) (H’,M’) We may have H || M = H’ || M’ Cannot use string-input polynomial hash
New notion: VI-–AXU hash functionFor any (H,M) (H’,M’) and Y
Pr[ HashL(H,M) HashL(H’,M’)=Y] ≤
Pr is over random hash keys L
15
How to construct VI--AXU hash Finite-field polynomial L = EK(0n) is the hashing key For header H = H0H1H2 and
message M = M0M1M2
hash value S = L7 L5H0 L3H1 LH2
L8 L6M0 L4M1 L2M2
Use odd for header and even for message Note the additional leading terms
16
Produce tag and “Steal” hash
PolynomialHash
HeaderMessage
Tag
EK
S
Steal the hash “block”and use it as IV
for the CTR mode
17
“Odd” CTR mode
M0
EK
S <1>
C0
M1
EK
S <2>
C1
M2
EK
S <3>
C2
XOR<x> Integer x rep. as bit string
Necessary forthe securityof HBS
18
Table of contents
Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV
HBS (Hash Block Stealing) How it works Its efficiency and security
19
Efficiency comparison
SIV HBS# of blockcipher keys
2 1
# of calls to blockcipher
h + 2m + 2
m + 2
# of multiplications
0 h + m + 2
Header h blocks, message m blocks
20
Security of HBS mode
Secure under the assumption that the blockcipher E is a SPRP
Security theorem:AdvDAE(HBS) ≤ AdvSPRP(E) + 33q2(1+h+2m)2/2n
q max # of queries h max length of each header m max length of each message