1

HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption

Tetsu Iwata (Nagoya University, Japan)Kan Yasuda (NTT Corporation, Japan)FSE 20092009 Feb. 25, Leuven, Belgium

2

Table of contents

Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV

HBS (Hash Block Stealing) How it works Its efficiency and security

3

Background (AE)

Blockcipher modes of operation Two goals:

To establish authenticity (data integrity)

To preserve privacy (data confidentiality)

Authenticated Encryption (AE) Concurrently achieves the two goals

4

Background (AE, nonce-based) AE

CCM, GCM, OCB, … Usually uses a randomized salt or state-depe

ndent value Formalized as nonce-based AE [Rogaway 2001,

2002, 2004] Nonce

Never repeat the same value, or lose all security

5

Table of contents

Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV

HBS (Hash Block Stealing) How it works Its efficiency and security

6

Background (DAE)

Nonce misuse Settled by Deterministic Authenticated

Encryption (DAE)[Rogaway – Shrimpton 2006]

DAE “Secure” even if the same value is use

d (all an adversary can do is to detect the repetition)

7

Background (How DAE works) Deterministic algorithms Encryption

Input: (Header H, Message M) Output: (Tag T, Encrypted Msg C)

Decryption Verifies (H, T, C) Outputs either or M

8

Security definition of DAE

Enc

H, M

T, C

Adversaries

Cannotdistinguish

?Dec

H, T, C

/ M

Random

H, M

$$$

H, T, C

Real Ideal

9

Table of contents

Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV

HBS (Hash Block Stealing) How it works Its efficiency and security

10

SIV mode of operation

A concrete DAE mode [Rogaway – Shrimpton Eurocrypt 2006]

“MAC-then-Encrypt” Entirely blockcipher-based

Uses CMAC* (vectorized CMAC) for authentication

Uses CTR mode for encryption Requires two keys

11

Motivation:

Can we construct a single-key DAE mode?

12

Table of contents

Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV

HBS (Hash Block Stealing) How it works Its efficiency and security

13

HBS (Hash Block Stealing)

The HBS mode Single-key Also “MAC-then-Encrypt” style New polynomial-hashing for

MAC “Odd” CTR (counter) mode for

Enc

14

Vector-input (VI) polynomial hashing

Motivation: Two different inputs (H,M) (H’,M’) We may have H || M = H’ || M’ Cannot use string-input polynomial hash

New notion: VI-–AXU hash functionFor any (H,M) (H’,M’) and Y

Pr[ HashL(H,M) HashL(H’,M’)=Y] ≤

Pr is over random hash keys L

15

How to construct VI--AXU hash Finite-field polynomial L = EK(0n) is the hashing key For header H = H0H1H2 and

message M = M0M1M2

hash value S = L7 L5H0 L3H1 LH2

L8 L6M0 L4M1 L2M2

Use odd for header and even for message Note the additional leading terms

16

Produce tag and “Steal” hash

PolynomialHash

HeaderMessage

Tag

EK

S

Steal the hash “block”and use it as IV

for the CTR mode

17

“Odd” CTR mode

M0

EK

S <1>

C0

M1

EK

S <2>

C1

M2

EK

S <3>

C2

XOR<x> Integer x rep. as bit string

Necessary forthe securityof HBS

18

Table of contents

Background and motivation Authenticated encryption (AE) Deterministic AE (DAE) Previous work: SIV

HBS (Hash Block Stealing) How it works Its efficiency and security

19

Efficiency comparison

SIV HBS# of blockcipher keys

2 1

# of calls to blockcipher

h + 2m + 2

m + 2

# of multiplications

0 h + m + 2

Header h blocks, message m blocks

20

Security of HBS mode

Secure under the assumption that the blockcipher E is a SPRP

Security theorem:AdvDAE(HBS) ≤ AdvSPRP(E) + 33q2(1+h+2m)2/2n

q max # of queries h max length of each header m max length of each message

21

Thank you very much.