2011/2/17

SKEW2011 Lyngby

Nagoya University

Yasushi Osaki, Tetsu Iwata

Further More on Key Wrapping

1

What is key wrapping? Used to encrypt specialized data, such as

cryptographic keys

A key wrapping that also ensures integrity is called an authenticated key wrapping (AKW)

Used in key management systems Used as an adapter between incompatible systems e.g. between a key management system for 3DES and

AES etc.

2

What is key wrapping?

3

Key wrapping and AKW are widely used in practice

ANSI X9.102-2008 (2008)

IETF RFC 6030 (2010)

OASIS : Key Management Interoperability Protocol Specification Version 1.0

NIST is in the process of specifying an AKW scheme

Two approaches in designing an AKW scheme

Dedicated construction

Deterministic authenticated encryption (DAE) [RS06] SIV mode [RS06]

HBS mode

Generic composition

Hash-then-Encrypt [GH09] Hash-then-ECB, Hash-then-CBC, Hash-then-CTR, etc.

4

[GH09]R.Gennaro,S.Halevi. More on Key Wrapping. SAC2009. [RS06] Rogaway. P., Shrimpton. T.: A Provable-Security Treatment of the Key-Wrap Problem. EUROCRYPT 2006.

Gennaro and Halevi’s results

5

They examined combinations of some encryption modes and some hash functions

XOR Linear 2nd-preimage resistant

universal hash

CTR broken broken secure secure

ECB broken somewhat secure broken

CBC broken somewhat secure open problem

masked ECB/CBC

somewhat somewhat secure secure

XEX secure secure secure secure

Hash

Encryption

Gennaro and Halevi’s results

6

They examined combinations of some encryption modes and some hash functions

XOR Linear 2nd-preimage resistant

universal hash

CTR broken broken secure secure

ECB broken somewhat secure broken

CBC broken somewhat secure open problem

masked ECB/CBC

somewhat somewhat secure secure

XEX secure secure secure secure

Hash

Encryption

Gennaro and Halevi’s results

7

XOR Linear 2nd-preimage resistant

universal hash

CTR broken broken secure secure

ECB broken somewhat secure broken

CBC broken somewhat secure open problem

masked ECB/CBC

somewhat somewhat secure secure

XEX secure secure secure secure

Hash

Encryption

ECB and CBC modes are likely deployed already in existing systems

There are a large number of efficient constructions of a univ-hash function, e.g. a polynomial hash function, MMH, etc.

Our goal

8

We show

there exists a subset of univ-hash functions that can securely be used with ECB mode

there exists a subset of univ-hash functions that can securely be used with CBC mode (It is a partial answer to the open problem)

a monic polynomial is included in these subsets

univ-hash

ECB ×

secure

univ-hash

CBC ？

secure

AKW scheme

9

Wrapping key ‘W ’

Encrypt a plaintext ‘D∈{0,1}nl ’ under W C ←AKWW (D )

Decrypt a ciphertext ‘C∈{0,1}n(l+1) ’ under W D or ⊥←AKW-1

W (C )

⊥ means reject

Security for AKW (1) [GH09] Random-Plaintext Attack (RPA-security)

W

b

:

0,1:

key Wrapping

bit Challenge

b

iWi

ii

DC

DD

AKW

:, 10

random at chosen

0|1'Pr1|1'PrAdvrpa

AKW bbbbA10

AKW oracle

Adversary A invoke

iii CDD ,, 10

}1,0{'b

q times

Security for AKW (2) [GH09] Integrity of ciphertext (INT-security)

iWi

i

DC

D

AKW

:

random at chosen

W:key Wrapping

forges PrAdvint

AKW AA

11

The AKW scheme is secure, if Advrpa(A) and Advint(A) are sufficiently small

AKW oracle

Adversary A invoke

ii CD ,

ciphertext Challenge:*C

q times

Hash-then-ECB [GH09] and Hash-then-CBC [GH09]

12

Hash-then-ECB (HtECB) Hash-then-CBC (HtCBC)

Our results

13

The HtECB scheme is a secure AKW scheme if the underlying hash function is a

hash function

The HtCBC scheme is a secure AKW scheme if the underlying hash function is a

hash function

・universal ・uniform ・universalC ・uniformC

・universal ・uniform ・universalCC ・uniformCC

univ-hash

univ-hash

Our results

14

The HtECB scheme is a secure AKW scheme if the underlying hash function is a

hash function

The HtCBC scheme is a secure AKW scheme if the underlying hash function is a

hash function

・universal ・uniform ・universalC ・uniformC

・universal ・uniform ・universalCC ・uniformCC

univ-hash

univ-hash

We present these new notions

Classical notions of hash function

15

universal

uniform

)'(}1,0{', XXXX nl

A keyed hash function H is an ε1-universal hash function if

1)]'()(Pr[ XHXH LL

nnl YX }1,0{,}1,0{

A keyed hash function H is an ε2-uniform hash function

if

2])(Pr[ YXHL

be arbitrary bit strings

be arbitrary bit strings

Let

Let

New notions of hash function

16

universalC (universal with composition)

A keyed hash function H is an ε3-universalC hash function if, for each of the 2l possible choices of

nnl

l lZZXX }1,0{][],1[,}1,0{,,1

]))[,],1[('(}1,0{' lZZXX nl

and

be arbitrary bit strings

)}(],[{)}(],1[{ 1 lLL XHlZXHZX ,

3)]'()(Pr[ XHXH LL

Let

New notions of hash function

17

universalC

For example, if l =2, we require

LH

]1[Z ]2[Z

)(XHL

LH

1X]2[Z

)(XHL

LH

LH

1X

)(XHL

LH

2X

LH

LH

2X]1[Z

)(XHL

LH

Pr[

Pr[

Pr[

Pr[

])2[],1[( ZZHL

])2[),(( 1 ZXHH LL

))(],1[( 2XHZH LL

))(),(( 21 XHXHH LLL

3)]'( XHL

3)]'( XHL

3)]'( XHL

3)]'( XHL

New notions of hash function

18

uniformC (uniform with composition)

A keyed hash function H is an ε4-uniformC hash function if, for each of the 2l possible choices of

nnl

l lZZXX }1,0{][],1[,}1,0{,,1 nY }1,0{and

be arbitrary bit strings

)}(],[{)}(],1[{ 1 lLL XHlZXHZX ,

4])(Pr[ YXHL

Let

New notions of hash function

19

universalCC(universal with composition and xor constant)

A keyed hash function H is an ε5-universalCC hash

function if, for each of the 2l possible choices of

nnnl

l lVVlZZXX }1,0{][,],1[,}1,0{][],1[,}1,0{,,1

]))[,],1[('(}1,0{' lZZXX nl and be arbitrary bit strings

]}[)(],[{]}1[)(],1[{ 1 lVXHlZVXHZX lLL ,

5)]'()(Pr[ XHXH LL

Let

New notions of hash function

20

uniformCC (uniform with composition and xor constant)

A keyed hash function H is an ε6-uniformCC hash

function if, for each of the 2l possible choices of

nY }1,0{and be arbitrary bit strings

,

6])(Pr[ YXHL

nnnl

l lVVlZZXX }1,0{][,],1[,}1,0{][],1[,}1,0{,,1

]}[)(],[{]}1[)(],1[{ 1 lVXHlZVXHZX lLL

Let

Theorem 1 (HtECB)

21

Let H be an ε1-universal, ε2-uniform, ε3-universalC, ε4-uniformC hash function

E be a blockcipher

Then for any A that invokes the oracle at most q times, there exist adversaries A´ and A´´ such that

where A´ makes at most q (l +1) queries and A´´ makes at most (q +1)(l +1) queries

},{max)1(2

)''(Adv)(Adv

422

2)'(Adv)(Adv

4322

2

1

2sprpint

E]HtECB[H,

2

2

1

222

prprpa

E]HtECB[H,

lqlqq

AA

lqqlq

AA

E

nE

Proof of INT Advantage (intuition)

22 },{max)1(

2)''(Adv)(Adv 4322

2

1

2sprpint

E]HtECB[H, lqlqq

AA E

KE KE KE

]1[*D ]2[*D

]0[*C ]1[*C ]2[*C

?

LH

-1 -1 -1

*D

*C

• l =2 • D*[j] (0≦j≦2) are a hash value or a fixed constant • If D*[0] is a hash value, Pr[HL(D

*)=D*[0]]≦ε3 because H is ε3-universalC hash function

• If D*[0] is a fixed constant, Pr[HL(D

*)=D*[0]]≦ε4 because H is ε4-uniformC hash function

Theorem 2 (HtCBC)

23

Let H be an ε1-universal, ε2-uniform, ε5-universalCC, ε6-uniformCC hash function

E be a blockcipher

Then for any A that invokes the oracle at most q times, there exist adversaries A´ and A´´ such that

where A´ makes at most q (l +1) queries and A´´ makes at most (q +1)(l +1) queries

},{max)1(2

)''(Adv)(Adv

2

)1(142)'(Adv)(Adv

6522

2

1

2sprpint

E]HtCBC[H,

22

1

2prprpa

E]HtCBC[H,

lqlqq

AA

lqqAA

E

nE

Construction of a Hash Function

24

A monic polynomial hash function defined in (1) suffices to obtain an

hash function for sufficiently small ε1,...,ε6

・universal ・universalC ・universalCC ・uniform ・uniformC ・uniformCC

][]1[1 lXLXLLXH ll

L …(1) ・Input : ・Key : ・The multiplication is over GF(2n)

nllXXX 1,0,,1

nL 1,0

A monic polynomial hash function

25

It can be implemented easily from a polynomial hash function

A polynomial hash function is the basic construction of a universal hash function

Used in [MV04][NIST800-38D][Be05]

[MV04] McGrew, D., Viega, J.: The Security and Performance of the Galois/Counter Mode (GCM) of Operation.

[NIST800-38D] NIST: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC.

[Be05] Bernstein, D.J.: The poly1305-AES Message-Authentication Code.

Conclusions

26

We proposed a total of four new notions of a keyed hash function

Based on the new notions, we showed that HtECB and HtCBC schemes are secure AKW schemes

The result on the HtCBC scheme partially solves the open problem

We showed that there exists an efficient construction of a keyed hash function that satisfies all the six notions

27

Thank you!

Lemma 3

28

The keyed hash function defined in (1) is a

CCCC

CC

uniform-2

12,universal-

2

12

,uniform-2

12,universal-

2

12uniform,-

2

1universal,-

2

nn

nnnn

ll

llll

hash function

Corollary 1 (HtECB)

29

Let H be the keyed hash function defined in (1)

E be a blockcipher

Then for any A that invokes the oracle at most q times, there exist adversaries A´ and A´´ such that

where A´ makes at most q (l +1) queries and A´´ makes at most (q +1)(l +1) queries

nE

nE

lqAA

lqAA

2

)1(3)''(Adv)(Adv

2

)1(8)'(Adv)(Adv

22sprpint

E]HtECB[H,

22prprpa

E]HtECB[H,

Corollary 2 (HtCBC)

30

Let H be the keyed hash function defined in (1)

E be a blockcipher

Then for any A that invokes the oracle at most q times, there exist adversaries A´ and A´´ such that

where A´ makes at most q (l +1) queries and A´´ makes at most (q +1)(l +1) queries

nE

nE

lqAA

lqAA

2

)1(3)''(Adv)(Adv

2

)1(16)'(Adv)(Adv

22sprpint

E]HtCBC[H,

22prprpa

E]HtCBC[H,

Hash-then-ECB+ (HtECB+)

31

KE KE KE

]1[D ][lD

]0[~C

]1[C ][lC

]0[D

LH

lsb

bitn

bitdn

D

KE KE KE

]1[D ][lD

]1[C ][lC

]0[D

LH

?]0[~C

lsb

bitn

bitdn

-1 -1

D

Corollary

32

64n2l

q

)(Advint

]),(Perm,[HtECBA

dnH

dndnndnH

llqlqA

2

12

2

)1(

2

)1(3)(Adv

22int

]),(Perm,[HtECB