further more on key wrapping - dtu
TRANSCRIPT
2011/2/17
SKEW2011 Lyngby
Nagoya University
Yasushi Osaki, Tetsu Iwata
Further More on Key Wrapping
1
What is key wrapping? Used to encrypt specialized data, such as
cryptographic keys
A key wrapping that also ensures integrity is called an authenticated key wrapping (AKW)
Used in key management systems Used as an adapter between incompatible systems e.g. between a key management system for 3DES and
AES etc.
2
What is key wrapping?
3
Key wrapping and AKW are widely used in practice
ANSI X9.102-2008 (2008)
IETF RFC 6030 (2010)
OASIS : Key Management Interoperability Protocol Specification Version 1.0
NIST is in the process of specifying an AKW scheme
Two approaches in designing an AKW scheme
Dedicated construction
Deterministic authenticated encryption (DAE) [RS06] SIV mode [RS06]
HBS mode
Generic composition
Hash-then-Encrypt [GH09] Hash-then-ECB, Hash-then-CBC, Hash-then-CTR, etc.
4
[GH09]R.Gennaro,S.Halevi. More on Key Wrapping. SAC2009. [RS06] Rogaway. P., Shrimpton. T.: A Provable-Security Treatment of the Key-Wrap Problem. EUROCRYPT 2006.
Gennaro and Halevi’s results
5
They examined combinations of some encryption modes and some hash functions
XOR Linear 2nd-preimage resistant
universal hash
CTR broken broken secure secure
ECB broken somewhat secure broken
CBC broken somewhat secure open problem
masked ECB/CBC
somewhat somewhat secure secure
XEX secure secure secure secure
Hash
Encryption
Gennaro and Halevi’s results
6
They examined combinations of some encryption modes and some hash functions
XOR Linear 2nd-preimage resistant
universal hash
CTR broken broken secure secure
ECB broken somewhat secure broken
CBC broken somewhat secure open problem
masked ECB/CBC
somewhat somewhat secure secure
XEX secure secure secure secure
Hash
Encryption
Gennaro and Halevi’s results
7
XOR Linear 2nd-preimage resistant
universal hash
CTR broken broken secure secure
ECB broken somewhat secure broken
CBC broken somewhat secure open problem
masked ECB/CBC
somewhat somewhat secure secure
XEX secure secure secure secure
Hash
Encryption
ECB and CBC modes are likely deployed already in existing systems
There are a large number of efficient constructions of a univ-hash function, e.g. a polynomial hash function, MMH, etc.
Our goal
8
We show
there exists a subset of univ-hash functions that can securely be used with ECB mode
there exists a subset of univ-hash functions that can securely be used with CBC mode (It is a partial answer to the open problem)
a monic polynomial is included in these subsets
univ-hash
ECB ×
secure
univ-hash
CBC ?
secure
AKW scheme
9
Wrapping key ‘W ’
Encrypt a plaintext ‘D∈{0,1}nl ’ under W C ←AKWW (D )
Decrypt a ciphertext ‘C∈{0,1}n(l+1) ’ under W D or ⊥←AKW-1
W (C )
⊥ means reject
Security for AKW (1) [GH09] Random-Plaintext Attack (RPA-security)
W
b
:
0,1:
key Wrapping
bit Challenge
b
iWi
ii
DC
DD
AKW
:, 10
random at chosen
0|1'Pr1|1'PrAdvrpa
AKW bbbbA10
AKW oracle
Adversary A invoke
iii CDD ,, 10
}1,0{'b
q times
Security for AKW (2) [GH09] Integrity of ciphertext (INT-security)
iWi
i
DC
D
AKW
:
random at chosen
W:key Wrapping
forges PrAdvint
AKW AA
11
The AKW scheme is secure, if Advrpa(A) and Advint(A) are sufficiently small
AKW oracle
Adversary A invoke
ii CD ,
ciphertext Challenge:*C
q times
Our results
13
The HtECB scheme is a secure AKW scheme if the underlying hash function is a
hash function
The HtCBC scheme is a secure AKW scheme if the underlying hash function is a
hash function
・universal ・uniform ・universalC ・uniformC
・universal ・uniform ・universalCC ・uniformCC
univ-hash
univ-hash
Our results
14
The HtECB scheme is a secure AKW scheme if the underlying hash function is a
hash function
The HtCBC scheme is a secure AKW scheme if the underlying hash function is a
hash function
・universal ・uniform ・universalC ・uniformC
・universal ・uniform ・universalCC ・uniformCC
univ-hash
univ-hash
We present these new notions
Classical notions of hash function
15
universal
uniform
)'(}1,0{', XXXX nl
A keyed hash function H is an ε1-universal hash function if
1)]'()(Pr[ XHXH LL
nnl YX }1,0{,}1,0{
A keyed hash function H is an ε2-uniform hash function
if
2])(Pr[ YXHL
be arbitrary bit strings
be arbitrary bit strings
Let
Let
New notions of hash function
16
universalC (universal with composition)
A keyed hash function H is an ε3-universalC hash function if, for each of the 2l possible choices of
nnl
l lZZXX }1,0{][],1[,}1,0{,,1
]))[,],1[('(}1,0{' lZZXX nl
and
be arbitrary bit strings
)}(],[{)}(],1[{ 1 lLL XHlZXHZX ,
3)]'()(Pr[ XHXH LL
Let
New notions of hash function
17
universalC
For example, if l =2, we require
LH
]1[Z ]2[Z
)(XHL
LH
1X]2[Z
)(XHL
LH
LH
1X
)(XHL
LH
2X
LH
LH
2X]1[Z
)(XHL
LH
Pr[
Pr[
Pr[
Pr[
])2[],1[( ZZHL
])2[),(( 1 ZXHH LL
))(],1[( 2XHZH LL
))(),(( 21 XHXHH LLL
3)]'( XHL
3)]'( XHL
3)]'( XHL
3)]'( XHL
New notions of hash function
18
uniformC (uniform with composition)
A keyed hash function H is an ε4-uniformC hash function if, for each of the 2l possible choices of
nnl
l lZZXX }1,0{][],1[,}1,0{,,1 nY }1,0{and
be arbitrary bit strings
)}(],[{)}(],1[{ 1 lLL XHlZXHZX ,
4])(Pr[ YXHL
Let
New notions of hash function
19
universalCC(universal with composition and xor constant)
A keyed hash function H is an ε5-universalCC hash
function if, for each of the 2l possible choices of
nnnl
l lVVlZZXX }1,0{][,],1[,}1,0{][],1[,}1,0{,,1
]))[,],1[('(}1,0{' lZZXX nl and be arbitrary bit strings
]}[)(],[{]}1[)(],1[{ 1 lVXHlZVXHZX lLL ,
5)]'()(Pr[ XHXH LL
Let
New notions of hash function
20
uniformCC (uniform with composition and xor constant)
A keyed hash function H is an ε6-uniformCC hash
function if, for each of the 2l possible choices of
nY }1,0{and be arbitrary bit strings
,
6])(Pr[ YXHL
nnnl
l lVVlZZXX }1,0{][,],1[,}1,0{][],1[,}1,0{,,1
]}[)(],[{]}1[)(],1[{ 1 lVXHlZVXHZX lLL
Let
Theorem 1 (HtECB)
21
Let H be an ε1-universal, ε2-uniform, ε3-universalC, ε4-uniformC hash function
E be a blockcipher
Then for any A that invokes the oracle at most q times, there exist adversaries A´ and A´´ such that
where A´ makes at most q (l +1) queries and A´´ makes at most (q +1)(l +1) queries
},{max)1(2
)''(Adv)(Adv
422
2)'(Adv)(Adv
4322
2
1
2sprpint
E]HtECB[H,
2
2
1
222
prprpa
E]HtECB[H,
lqlqq
AA
lqqlq
AA
E
nE
Proof of INT Advantage (intuition)
22 },{max)1(
2)''(Adv)(Adv 4322
2
1
2sprpint
E]HtECB[H, lqlqq
AA E
KE KE KE
]1[*D ]2[*D
]0[*C ]1[*C ]2[*C
?
LH
-1 -1 -1
*D
*C
• l =2 • D*[j] (0≦j≦2) are a hash value or a fixed constant • If D*[0] is a hash value, Pr[HL(D
*)=D*[0]]≦ε3 because H is ε3-universalC hash function
• If D*[0] is a fixed constant, Pr[HL(D
*)=D*[0]]≦ε4 because H is ε4-uniformC hash function
Theorem 2 (HtCBC)
23
Let H be an ε1-universal, ε2-uniform, ε5-universalCC, ε6-uniformCC hash function
E be a blockcipher
Then for any A that invokes the oracle at most q times, there exist adversaries A´ and A´´ such that
where A´ makes at most q (l +1) queries and A´´ makes at most (q +1)(l +1) queries
},{max)1(2
)''(Adv)(Adv
2
)1(142)'(Adv)(Adv
6522
2
1
2sprpint
E]HtCBC[H,
22
1
2prprpa
E]HtCBC[H,
lqlqq
AA
lqqAA
E
nE
Construction of a Hash Function
24
A monic polynomial hash function defined in (1) suffices to obtain an
hash function for sufficiently small ε1,...,ε6
・universal ・universalC ・universalCC ・uniform ・uniformC ・uniformCC
][]1[1 lXLXLLXH ll
L …(1) ・Input : ・Key : ・The multiplication is over GF(2n)
nllXXX 1,0,,1
nL 1,0
A monic polynomial hash function
25
It can be implemented easily from a polynomial hash function
A polynomial hash function is the basic construction of a universal hash function
Used in [MV04][NIST800-38D][Be05]
[MV04] McGrew, D., Viega, J.: The Security and Performance of the Galois/Counter Mode (GCM) of Operation.
[NIST800-38D] NIST: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC.
[Be05] Bernstein, D.J.: The poly1305-AES Message-Authentication Code.
Conclusions
26
We proposed a total of four new notions of a keyed hash function
Based on the new notions, we showed that HtECB and HtCBC schemes are secure AKW schemes
The result on the HtCBC scheme partially solves the open problem
We showed that there exists an efficient construction of a keyed hash function that satisfies all the six notions
Lemma 3
28
The keyed hash function defined in (1) is a
CCCC
CC
uniform-2
12,universal-
2
12
,uniform-2
12,universal-
2
12uniform,-
2
1universal,-
2
nn
nnnn
ll
llll
hash function
Corollary 1 (HtECB)
29
Let H be the keyed hash function defined in (1)
E be a blockcipher
Then for any A that invokes the oracle at most q times, there exist adversaries A´ and A´´ such that
where A´ makes at most q (l +1) queries and A´´ makes at most (q +1)(l +1) queries
nE
nE
lqAA
lqAA
2
)1(3)''(Adv)(Adv
2
)1(8)'(Adv)(Adv
22sprpint
E]HtECB[H,
22prprpa
E]HtECB[H,
Corollary 2 (HtCBC)
30
Let H be the keyed hash function defined in (1)
E be a blockcipher
Then for any A that invokes the oracle at most q times, there exist adversaries A´ and A´´ such that
where A´ makes at most q (l +1) queries and A´´ makes at most (q +1)(l +1) queries
nE
nE
lqAA
lqAA
2
)1(3)''(Adv)(Adv
2
)1(16)'(Adv)(Adv
22sprpint
E]HtCBC[H,
22prprpa
E]HtCBC[H,
Hash-then-ECB+ (HtECB+)
31
KE KE KE
]1[D ][lD
]0[~C
]1[C ][lC
]0[D
LH
lsb
bitn
bitdn
D
KE KE KE
]1[D ][lD
]1[C ][lC
]0[D
LH
?]0[~C
lsb
bitn
bitdn
-1 -1
D