Parallelizable and Authenticated Online Ciphers · 2013-12-04 · Results Table : Software performance of (authenticated) online ciphers based on the AES on the Intel Sandy Bridge

Parallelizable and Authenticated Online Ciphers1

Atul Luykx

COSICKU Leuven and iMinds

December 3, 2013

1Joint work with E. Andreeva, A. Bogdanov, B. Mennink, E. Tischhauser,

and K. Yasuda.1 / 24

Motivation: Authenticated Encryption

Authenticated Encryption (AE) = Privacy + Authenticity

1 Applications: SSH, IPsec, TLS, IEEE 802.11

2 CAESAR competition

’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12

IAPM OCB

XECB

CCM EAX

CWC

GCM

SIV BTM

HBS

McOE

Figure : AE schemes

2 / 24

Motivation: Nonce Misuse

AuthenticatedEncryption (AE)

AEK

M1

C1

3 / 24



AEK AEK

M1

C1

M1

C2

3 / 24



Nonce Respecting

AEK AEK

M1

C1

M1

C2

N1

3 / 24



Nonce Respecting

AEK AEK

M1

C1

M1

C2

N1 N2

3 / 24



Nonce Respecting

AEK AEK AEK

M1

C1

M1

C2

M2

C3

N1 N2 N3

3 / 24



Nonce Respecting

AEK AEK AEK

M1

C1

M1

C2

M2

C3

N N N

3 / 24



Nonce Respecting

AEK AEK AEK

M1

C1

M1

C1

M2

C3

N N N

3 / 24



Nonce Respecting

’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12

IAPM OCB

XECB

CCM EAX

CWC

GCM

SIV BTM

HBS

McOE

3 / 24

Motivation: OCB With Nonce Repeated

M [1] M [2] M [3] M [4]

EK

C[1]

EK

C[2]

EK

C[3]

EK

C[4]

t1 t2 t3 t4

4 / 24

Motivation: OCB With Nonce Repeated

M [1] M [2] M [3] M [4]

EK

C[1]

EK

C[2]

EK

C[3]

EK

C[4]

t1 t2 t3 t4

4 / 24



Nonce Respecting

AEK AEK AEK

M1

C1

M1

C1

M2

C3

N N N

5 / 24



Nonce Respecting

Misuse Resistant AE (MRAE)

AEK AEK AEK

M1

C1

M1

C1

M2

C3

N N N

5 / 24

Motivation: Efficiency

’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12

IAPM OCB

XECB

CCM EAX

CWC

GCM

SIV BTM

HBS

McOE

SIV, BTM, HBS:

1 High latency (receive full message before first output)

2 Storage issues (large internal state)

McOE: inherently sequential

6 / 24

Motivation: Efficiency

’00 ’01 ’02 ’03 ’04 ’05 ’06 ’07 ’08 ’09 ’10 ’11 ’12

IAPM OCB

XECB

CCM EAX

CWC

GCM

SIV BTM

HBS

McOE

SIV, BTM, HBS:

1 High latency (receive full message before first output)

2 Storage issues (large internal state)

McOE: inherently sequential

6 / 24

Motivation: Our Goal

Design an AE scheme that is

Online

Parallelizable

Misuse Resistant

7 / 24



Online

Parallelizable

Misuse Resistant

Our method:

1 Create the first parallelizable online cipher: COPE

2 Add authenticity efficiently: COPA

7 / 24



Online

Parallelizable

Misuse Resistant

Our method:

1 Create the first parallelizable online cipher: COPE

2 Add authenticity efficiently: COPA

Our desired AE scheme: COPA

7 / 24

Background: Cipher Definition

M ∈ {0, 1}∗

8 / 24


M ∈ {0, 1}∗ M Cipher

K

C

8 / 24



K

C |M | = |C|

8 / 24



K

C |M | = |C|

Cipher vs Encryption Scheme

Length-Preserving Not Necessarily

Deterministic Randomized, Stateful (nonce)

Indistinguishable from permutations Indistinguishable from random bits

8 / 24

Background: Achieving AE via Ciphers

Cipher

9 / 24


Cipher

Authentication

9 / 24


Cipher

Authentication

MRAE

9 / 24


Cipher

Authentication

MRAE

AE

Nonce Respecting

9 / 24


Cipher

Authentication

MRAE

AE

Nonce Respecting

Variable Input Length

Block Cipher

9 / 24

Background: Online Cipher Definition

1 Same interface as a cipher

2 More efficient and“on-the-fly” computing

3 Different (weaker) securityrequirement: up to prefix

10 / 24





M [1] M [2] M [3] M [4]

C[1] C[2] C[3] C[4]

Dependency in a cipher.

10 / 24





M [1] M [2] M [3] M [4]

C[1] C[2] C[3] C[4]

Dependency in a cipher.

M [1] M [2] M [3] M [4]

C[1] C[2] C[3] C[4]

Dependency in an online cipher.

10 / 24

Background: Achieving AE Via Online Ciphers

AE

Nonce Respecting

MRAE

Cipher

Authentication


Block Cipher

11 / 24


AE

Nonce Respecting

MRAE

Cipher

Authentication

Block Cipher


11 / 24


AE

Nonce Respecting

MRAE

Cipher

Authentication

Block Cipher


MRAE “up to prefix”

Nonce Respecting

Online Cipher

Authentication

11 / 24

Existing Work

1 HCBC1, HCBC2 (BBKN, Crypto ’01)

2 MHCBC, MCBC (Nandi, Indocrypt ’08)

3 Rewritten with tweakable block ciphers: TC1, TC2, TC3(Rogaway and Zhang, CT-RSA ’11)

4 McOE family (FFL, FSE ’12): TC3 with authentication

All schemes are inherently sequential.

12 / 24

Existing Work: TC3

M [1] M [2] M [3] M [4]

13 / 24

Existing Work: TC3

M [1] M [2] M [3] M [4]

EK EK EK EK

13 / 24

Existing Work: TC3

M [1] M [2] M [3] M [4]

EK EK EK EK0

13 / 24

Existing Work: TC3

M [1] M [2] M [3] M [4]

EK EK EK EK0

C[1]

13 / 24

Existing Work: TC3

M [1] M [2] M [3] M [4]

EK EK EK EK0

C[1]

+

13 / 24

Existing Work: TC3

M [1] M [2] M [3] M [4]

EK EK EK EK0

C[1]

+

C[2]

13 / 24

Existing Work: TC3

M [1] M [2] M [3] M [4]

EK EK EK EK0

C[1]

+

C[2]

+

C[3]

+

C[4]

13 / 24

Achieving Parallelizability

M [1] M [2] M [3] M [4]

EK

C[1]

EK

C[2]

EK

C[3]

EK

C[4]

14 / 24


M [1] M [2] M [3] M [4]

EK

C[1]

EK

C[2]

EK

C[3]

EK

C[4]

t1 t2 t3 t4

14 / 24


M [1] M [2] M [3] M [4]

EK EK EK EKt1 t2 t3 t4

C[1] C[2] C[3] C[4]

14 / 24


M [1] M [2] M [3] M [4]


C[1] C[2] C[3] C[4]


14 / 24


M [1] M [2] M [3] M [4]



+ + +

14 / 24


M [1] M [2] M [3] M [4]



+ + +

C[1] C[2] C[3] C[4]

14 / 24

Our Online Cipher: COPE

M [1] M [2] M [3] M [4]

EK EK EK EK20 · 3L 21 · 3L 22 · 3L 23 · 3L

EK EK EK EK21L 22L 23L 24L

+ + +

C[1] C[2] C[3] C[4]

L := EK(0)

15 / 24

Adding Authenticity to COPE

M [1]⊕M [2]⊕M [3]⊕M [4]

EK2332L

+S

EK237L

T

16 / 24

Our Authenticated Online Cipher: COPA

M [1] M [2] M [3] M [4]

EK EK EK EK20 · 3L 21 · 3L 22 · 3L 23 · 3L


+ + + +

C[1] C[2] C[3] C[4]

SV

COPE

M [1]⊕M [2]⊕M [3]⊕M [4]

EK2332L

+S

EK237L

T

Note: COPA also accepts associated data (while maintainingparallelizability)

17 / 24

Security

σ: total length of all queries in number of blocksa ≈ 40, b ≈ 4

Advcpa

COPE(t, σ) ≤a·σ2

2n+Adv

prp±1E

(t′, b · σ)

Advcpa

COPA(t, σ) ≤a·σ

2

2n+Adv

prp±1

E(t′, b · σ)

AdvintCOPA(t, σ) ≤

a·σ2

2n+Adv

prp±1

E(t′, b · σ)

18 / 24

Security: Proof Idea

M [1] M [2] M [3] M [4]

EK EK EK EK20 · 3L 21 · 3L 22 · 3L 23 · 3L


+ + +

C[1] C[2] C[3] C[4]

L := EK(0)

19 / 24


M [1] M [2] M [3] M [4]

π1 π2 π3 π4

π5 π6 π7 π8

+ + +

C[1] C[2] C[3] C[4]

19 / 24


M [1] M [2] M [3] M [4]

π1 π2 π3 π4

π5 π6 π7 π8

+ + +

C[1] C[2] C[3] C[4]

19 / 24

Results: Using AES-NI on Intel Sandy Bridge

102 103 1040

2

4

6

8

10

12

message length (bytes)

cycles

per

byte

CTRCOPECOPA

McOE-GTC1TC3

MCBC

20 / 24

Summary

1 COPE: first parallelizable, online cipher

2 COPA: misuse resistant authenticated encryption (withassociated data)

efficientsecurity reduction to block cipherCAESAR submission

21 / 24

COPE

M [1] M [2] M [3] M [4]

+ + + +

EK EK EK EK

20 · 3L 21 · 3L 22 · 3L 23 · 3L

EK EK EK EK

+ + + +21L 22L 23L 24L

+ + + +L

C[1] C[2] C[3] C[4]L := EK(0)

22 / 24

Associated Data in COPA

A[1] A[2] A[3] A[4]

+ + + +33L 2 · 33L 22 · 33L 23 · 34L

EK EK EK

+ + +

EK

V

23 / 24

Results

Table : Software performance of (authenticated) online ciphers based onthe AES on the Intel Sandy Bridge platform (AES-NI). All numbers aregiven in cycles per byte (cpb).

message length (bytes)

Algorithm 128 256 512 1024 2048 4096 8192

CTR 1.74 1.27 1.05 0.93 0.86 0.83 0.82TC1 9.00 8.75 8.65 8.60 8.56 8.56 8.56TC3 9.08 8.82 8.72 8.67 8.63 8.63 8.62MCBC 11.66 11.00 10.68 10.52 10.44 10.40 10.38COPE 2.56 2.08 1.89 1.78 1.72 1.70 1.69

McOE-G 10.85 9.73 9.14 8.90 8.74 8.69 8.66COPA 3.78 2.85 2.31 2.06 1.94 1.88 1.85

24 / 24

Documents

Parallelizable and Authenticated Online Ciphers · 2013-12-04 · Results Table : Software performance of (authenticated) online ciphers based on the AES on the Intel Sandy Bridge