security analysis of hyena authenticated encryption mode · security statement for hyena. main...

Security Analysis of HyENA Authenticated Encryption Mode

A.Chakraborti*, N.Datta, A.Jha, S.Mitragotri, M.Nandi

*NTT Secure Laboratories, Japan Indian Statistical Institute, Kolkata, India

Nov 06, 2019

A.Chakraborti et al. (ISI, Kolkata) Security of HyENA 1 / 25

Introduction

Motivation

Designing Lightweight Authenticated Encryption

Full Rate.

Small state size.

Small additional operations (constant mult, xor etc).


Use feedback based sequential block-cipher (n-bit) mode. State size: block-cipher state + additional auxiliary (masking) state.

N EK γ0 EK γ1 γa−1 EK Y [a]

A[0]

S[0]

A[1]

S[1]

A[a− 1]

S[a− 1]

Y [0] X[1] Y [1] · · ·

Y [a] ρ0 EK ρ1 ρm−1 EK T

M [0] C[0] M [1] C[1] M [m− 1] C[m− 1]

S[a] S[a+ 1] S[a+m− 1]

X[a+ 1] Y [a+ 1] · · ·

Figure: HyENA authenticated encryption mode for full data blocks.

Introduction

Typical Design Choice


Choice of Feedback Functions

X[i− 1]

M [i] X[i]

EK

⊕

C[i]

X[i− 1]

M [i]

X[i]

EK

⊕

C[i]

X[i− 1]

M [i] dX[i]e

EK

⊕

C[i]

Introduction

Figure: Classical Feedback Functions: PFB, OFB, CFB.

Requires at least n-bit additional masking states for security of the mode.



X[i− 1]

M [i] X[i]

EK

G

⊕⊕

C[i]

Introduction

Figure: Combined Feedback Functions: CoFB [Chakraborti et al.]

How small can we go? Requires only n/2-bit additional masking states.



X[i− 1]

M [i] X[i]

EK

G

⊕⊕

C[i]

Introduction

Figure: Combined Feedback Functions: CoFB [Chakraborti et al.]

Observation: 2n-bit XORs for the feedback function.


Introduction


X[i− 1]

M [i] dX[i]e

bX[i]c

EK

⊕

C[i]

X[i− 1]

M [i] dX[i]e

bX[i]c

EK

⊕

C[i]

X[i− 1]

M [i] dX[i]e

bX[i]c

EK

⊕

C[i]

Figure: Hybrid Feedback Functions (HyFB): (PFB, CFB), (OFB, CFB), (PFB, OFB).

Hybrid combination of classical feedbacks.

Only n-bit XORs for the feedback function.


Introduction


X[i− 1]

M [i] dX[i]e

bX[i]c

EK

⊕

C[i]

X[i− 1]

M [i] dX[i]e

bX[i]c

EK

⊕

C[i]

X[i− 1]

M [i] dX[i]e

bX[i]c

EK

⊕

C[i]

Figure: Hybrid Feedback Functions (HyFB): (PFB, CFB), (OFB, CFB), (PFB, OFB).

Can we go even smaller? Design a feedback-baced AE with HyFB function and maximum n/2-bit additional masking states.


X[0] EK HyFB+ EK HyFB+ HyFB+ X[a]

A[0]

2∆

A[1]

22∆

A[a− 1]

3 · 2a−1∆

Y [0] X[1] Y [1] · · ·

X[a] EK HyFB+ EK HyFB+ HyFB+ X[a + m]

M [0] C[0] M [1] C[1] M [m− 1] C[m− 1]

3 · 2a∆ 3 · 2a+1∆ 32 · 2a+m−2∆

Y [a] X[a + 1] Y [a + 1] · · ·

EK TdX[a + m]ebX[a + m]c

Specification

Concrete Specification of HyENA AE Mode

Figure: HyENA Authenticated Encryption Mode. Here X [0] = Nk030kb0kb1, Δ = dY [0]e.


Specification

Remark

This version of HyENA differs from the NIST Lightweight submitted version only in the masking of the final associated data.

This modification ensures identical AD and message processing, and achieves better hardware performance.


Choice of HyFB Function

dY e

bY c

⊕ dXe

dMe dCe

⊕ ⊕ bXc

bCc bMc ∆

dY e

bY c

⊕ dXe

dMe dCe

⊕ ⊕ bXc

bCc bMc ∆

Specification

(a) HyFB+ module. (b) HyFB- module.

Figure: HyFB module of HyENA for full data blocks. The number of XOR count is equals to 3n/2.



dY e

bY c

⊕ dXe

dMe dCe

Pad Trunc

⊕ bXc

⊕ ⊕bCcbMc

∆

b·cd·e

‖

10∗

dY e

bY c

dXe

⊕ ⊕dMe

dCe

d·e b·c

‖

10∗

⊕ ⊕ bXc

bCc bMc ∆

TruncPad

Specification

(a) HyFB+ module. (b) HyFB- module.

Figure: HyFB module of HyENA for partial data blocks.


Security

Security Statement for HyENA

Main Theorem

� � σe nqe nσv 0 AdvAE , σe , σv , t) ≤ Advprp (q , t 0) + O + + . HyENA(qe , qv EK 2n/2 2n/2 2n/2

where q0 = qe + σe + qv + σv which corresponds to the total number of block cipher calls through the game and t 0 = t + O(q0).


Security

Overall Approach

V = Vgood t Vbad

ipreal(τ) or ipideal(τ ): Prob to realize view τ when interacting with the real or ideal resp.

Coefficients-H Technique

If the following two holds:

In the ideal oracle, the probability of getting a view in Vbad is at most �bad .

For any view τ ∈ Vgood, we have

ipreal(τ) ≥ (1 − �ratio ) · ipideal(τ)

then | Pr[AO0 = 1] − Pr[AO1 = 1]| ≤ �bad + �ratio .


Security

Notations

Init: Initial State

IS: Intermediate State

Final: Final State

+: Encryption query

-: Forging query


Security

Bounding the BAD Views

Bounding COLL(IS+ , IS+)

X + [j ] = X + [j 0]. i i 0

Two non-trivial linear equations: One on dY + [j − 1]e and dY + [j 0 − 1]e, i i 0

Other on Δ+ i and Δ+

i 0 .

Each probability 21 n . � �

Total number of pairs σ2 e .


Security


Bounding COLL(Init+ , IS+)

X + [j ] = Ni 0 k032 . i

Case i ≤ i 0

Non-trivial equations on dY + [j − 1]e (upper part), i Non-trivial equations on Δ+ (lower part) i

1 Each probability . 2n � � Total number of pairs: σe . 2

Case i > i 0

Adversary can set nonce according to his choice (upper part), Non-trivial equations on Δ+ (lower part) i

1 Each probability 2n/2 .

Total number of pairs nqe (Assuming mCOLL(dC e) < n).


Security


Bounding mCOLL(dC e) ≥ n

dC + [j1]e = dC + [j1]e = · · · = dC + [jn]e. i1 i1 in

1 )n−1 From the randomness of C , the probability ( 2n/2 .

Total number of pairs �σe � . n


Security


Bounding COLL(Init+ , Final+)

]e = Ni 0 k032 dX + [`+ . i i

Case i ≥ i 0

Non-trivial equations on dY + [`+ − 1]e (upper part), i i Non-trivial equations on Δ+ (lower part) i

1 Each probability . 2n 2 Total number of pairs: q . e

Case i < i 0

Adversary can set nonce according to his choice (upper part), Non-trivial equations on Δ+ (lower part) i


nq e Total number of pairs 2

(Assuming mCOLL(X + [32..63]) < c , where 2n/4 `

nqe c = 2n/4 ).


Security


nqe Bounding mCOLL(dX`e) ≥ 2n/4

1 )c−1 From the randomness of Y , the probability ( 2n/4 . � �

Total number of pairs qe . c


Security


Bounding COLL(IS+ , IS−)

X − [pi + 1] = X + [j ]. i i 0

Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part) i


Total number of pairs: n.qv .


Security


Bounding COLL(IS− , INIT +)

X − [pi + 1] = X + [0]. i i 0

Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part). i


Total number of pairs: qv .2n/4 .

This doesn’t provide the desired bound.

Consider the freshness of successive block.


Combining all the bad views, we have �bad ≤ O�

σe

2n/2+ nqe

2n/2+ nσv

2n/2

�.

Security



X − [pi + 1] = X + [0], X − [pi + 2] = X + i i 0 i i 00 [j ]. Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part). i

1 1 Each probability 2n/2 . 2n/2 .

Total number of pairs: 2n/4 .n.qv .


Security



X − [pi + 1] = X + [0], X − [pi + 2] = X + i i 0 i i 00 [j ]. Adversary can fix the upper part, Non-trivial equations on Δ+ (lower part). i

1 1 Each probability 2n/2 . 2n/2 .

Total number of pairs: 2n/4 .n.qv . � � σe nqe nσv Combining all the bad views, we have �bad ≤ O + + . 2n/2 2n/2 2n/2


Security

Bounding the Interpolation Probability for GOOD Views

1 ipideal (τ ) = 2n(σe +qe )

. � � � � 1 qv 2nσv ipreal (τ) ≥

2n(σe +qe ) 1 − O 2n +

2n/2

Combining together and using Coefficients-H Technique, the Theorem follows.


Security

Thank you


security analysis of hyena authenticated encryption mode · security statement for hyena. main...

Documents