Efficient and Optimally Secure Key-Length Extension for Block Ciphers ...

Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading

Peter Gaˇ zi

Stefano Tessaro

ETH Zurich Comenius University Bratislava

MIT

Eurocrypt 2012

Outline

Block Ciphers and Key-Length Extension

Existing Approaches

Our Generic Attacks

Our Construction

Outline

Block Ciphers and Key-Length Extension

Existing Approaches

Our Generic Attacks

Our Construction

Block Ciphers

• e.g. DES, IDEA, AES

E

Block Ciphers

x • e.g. DES, IDEA, AES

E

•

{0, 1}n

Block Ciphers

x • e.g. DES, IDEA, AES

E

k

•

{0, 1}κ × {0, 1}n

Block Ciphers

x • e.g. DES, IDEA, AES

E

Ek (x)

k

• E : {0, 1}κ × {0, 1}n → {0, 1}n

Block Cipher Security: Pseudo-Random Permutations x

E

0/1

EK (x)

K

Block Cipher Security: Pseudo-Random Permutations x

P

0/1

P (x)

Block Cipher Security: Pseudo-Random Permutations x

x

P

0/1

P (x)

E

0/1

EK (x)

K

Block Cipher Security: Pseudo-Random Permutations x P −1 (y)

x −1 EK (y) P

0/1 y P (x)

E

0/1 y EK (x)

K

Block Cipher Security: Pseudo-Random Permutations x P −1 (y)

x −1 EK (y) P

0/1 y P (x)

E

0/1

K

y EK (x)

PRP advantage: ∆D (P, EK ) := |Pr[D(P) = 1] − Pr[D(EK ) = 1]|

Block Cipher Security: Pseudo-Random Permutations x P −1 (y)

x −1 EK (y) P

0/1 y P (x)

E

0/1

K

y EK (x)

PRP advantage: ∆D (P, EK ) := |Pr[D(P) = 1] − Pr[D(EK ) = 1]| PRP security: What resources does D need to achieve ∆D (P, EK ) ≥ const ?

Sufficient Key Length Is Essential

0/1

P

0/1

E

• Key K recoverable in about 2κ evaluations of E Given O ∈ {P, EK }:

K

Sufficient Key Length Is Essential

0/1

P

0/1

E

• Key K recoverable in about 2κ evaluations of E Given O ∈ {P, EK }: 1. y ← O(0n )

K

Sufficient Key Length Is Essential

0/1

P

0/1

E

• Key K recoverable in about 2κ evaluations of E Given O ∈ {P, EK }: 1. y ← O(0n ) 2. ∀k ∈ {0, 1}κ : y (k) ← Ek (0n )

K

Sufficient Key Length Is Essential

0/1

P

0/1

E

• Key K recoverable in about 2κ evaluations of E Given O ∈ {P, EK }: 1. y ← O(0n ) 2. ∀k ∈ {0, 1}κ : y (k) ← Ek (0n ) 3. if y = y (k) , verify k

K

Sufficient Key Length Is Essential

0/1

P

0/1

E

• Key K recoverable in about 2κ evaluations of E Given O ∈ {P, EK }: 1. y ← O(0n ) 2. ∀k ∈ {0, 1}κ : y (k) ← Ek (0n ) 3. if y = y (k) , verify k • Upper-bounds PRP security! • problem for e.g. DES

K

Sufficient Key Length Is Essential

0/1

P

0/1

E

K

• Key K recoverable in about 2κ evaluations of E Given O ∈ {P, EK }: 1. y ← O(0n ) 2. ∀k ∈ {0, 1}κ : y (k) ← Ek (0n ) 3. if y = y (k) , verify k • Upper-bounds PRP security! • problem for e.g. DES

ric ne ck! e g ta at

This Paper: Key-Length Extension y x k0 E

Ek (x) Ek0 0 (y)

k

This Paper: Key-Length Extension y E0

x k0 E

k

• Goal: construction 0

E 0 [E ] : {0, 1}κ × {0, 1}n → {0, 1}n which is again a block cipher

Ek (x) Ek0 0 (y)

This Paper: Key-Length Extension y E0

x k0 E

k

• Goal: construction 0

E 0 [E ] : {0, 1}κ × {0, 1}n → {0, 1}n which is again a block cipher such that

Ek (x) Ek0 0 (y)

• κ0 > κ • best generic attack requires > 2κ evaluations

of E , E 0

This Paper: Key-Length Extension y E0

x k0 E

k

• Goal: construction 0

E 0 [E ] : {0, 1}κ × {0, 1}n → {0, 1}n which is again a block cipher such that

Ek (x) Ek0 0 (y)

• κ0 > κ • best generic attack requires > 2κ evaluations

of E , E 0

Generic Security: Ideal Block Cipher Model • ∀k: independent uniformly random permutation

E

Key-Length Extension in ICM E0 0/1

P

0/1

• queries to the construction (P or EK0 0 [E ])

K0 E

Key-Length Extension in ICM E0 0/1

E

P

0/1

• queries to the construction (P or EK0 0 [E ]) • queries to E (·, ·)

E

K0 E

Key-Length Extension in ICM E0 0/1

E

P

0/1

• queries to the construction (P or EK0 0 [E ]) • queries to E (·, ·)

E

K0 E

asure: xity me le p m o C queries sum of

Key-Length Extension in ICM E0 0/1

E

P

0/1

• queries to the construction (P or EK0 0 [E ]) • queries to E (·, ·)

E

K0 E

asure: xity me le p m o C queries sum of

PRP security: What resources does D need to achieve
∆D (E , P), (E , EK0 0 [E ]) ≥ const ?

Key-Length Extension in ICM E0 0/1

E

P

0/1

• queries to the construction (P or EK0 0 [E ]) • queries to E (·, ·)

E

K0 E

asure: xity me le p m o C queries sum of

How many PRP security: What resources does D need to achieve es? queri
∆D (E , P), (E , EK0 0 [E ]) ≥ const ?

Outline

Block Ciphers and Key-Length Extension

Existing Approaches

Our Generic Attacks

Our Construction

Outline

Block Ciphers and Key-Length Extension

Existing Approaches

Our Generic Attacks

Our Construction

Approach I: Cascading n

0 x

E

Ek` (· · · Ek1 (x) · · ·)

Approach I: Cascading n

0 x

• Re-encrypt with independent keys E

k1

E

k2

E

k`

Ek` (· · · Ek1 (x) · · ·)

Approach I: Cascading n

0 x

• Re-encrypt with independent keys E

k1

E

k2

Ek2 (Ek1 (x))

Ek` (· · · Ek1 (x) · · ·)

• Double Encryption • Meet-in-the-middle attack (2κ evaluations of E and E −1 )

Approach I: Cascading n

0

• Re-encrypt with independent keys E

K1

E

K2

y

Ek` (· · · Ek1 (x) · · ·)

• Double Encryption • Meet-in-the-middle attack (2κ evaluations of E and E −1 ) Given O ∈ {EK2 (EK1 (·)), P(·)}: 1. y ← O(0n )

Approach I: Cascading n

0

• Re-encrypt with independent keys E

k1 , k2 , . . . uk1 , uk2 , . . .

E

k2

• Double Encryption • Meet-in-the-middle attack (2κ evaluations of E and E −1 ) Given O ∈ {EK2 (EK1 (·)), P(·)}: 1. y ← O(0n )

2. ∀k ∈ {0, 1}κ : uk ← Ek (0n ) y

Ek` (· · · Ek1 (x) · · ·)

Approach I: Cascading n

0

• Re-encrypt with independent keys E

k1 , k2 , . . . uk1 , uk2 , . . . vk1 , vk2 , . . .

E

k1 , k2 , . . .

• Double Encryption • Meet-in-the-middle attack (2κ evaluations of E and E −1 ) Given O ∈ {EK2 (EK1 (·)), P(·)}: 1. y ← O(0n )

2. ∀k ∈ {0, 1}κ : uk ← Ek (0n ) y

Ek` (· · · Ek1 (x) · · ·)

3. ∀k ∈ {0, 1}κ : vk ← Ek−1 (y )

Approach I: Cascading n

0

• Re-encrypt with independent keys E

k1 , k2 , . . . uk1 , uk2 , . . . vk1 , vk2 , . . .

E

k1 , k2 , . . .

• Double Encryption • Meet-in-the-middle attack (2κ evaluations of E and E −1 ) Given O ∈ {EK2 (EK1 (·)), P(·)}: 1. y ← O(0n )

2. ∀k ∈ {0, 1}κ : uk ← Ek (0n ) y

3. ∀k ∈ {0, 1}κ : vk ← Ek−1 (y ) 4. if uki = vkj : verify (ki , kj )

Ek` (· · · Ek1 (x) · · ·)

Approach I: Cascading n

0 x

• Re-encrypt with independent keys E

k1

• Double Encryption • Meet-in-the-middle attack (2κ evaluations of E and E −1 )

E

k2

E

k3

• Triple Encryption • Secure up to 2κ+min{n/2,κ/2} queries in ICM (Bellare and Rogaway, EC’06) • 3DES can be attacked in 290 queries (Lucks, FSE’98)

Ek3 (Ek2 (Ek1 (x))) Ek` (· · · Ek1 (x) · · ·)

Approach I: Cascading n

0 x

• Re-encrypt with independent keys E

k1

• Double Encryption • Meet-in-the-middle attack (2κ evaluations of E and E −1 )

E

k2

• Triple Encryption • Secure up to 2κ+min{n/2,κ/2} queries in ICM (Bellare and Rogaway, EC’06) • 3DES can be attacked in 290 queries (Lucks, FSE’98)

E

k`

Ek` (· · · Ek1 (x) · · ·)

• Longer Cascades • Security improves for κ < n in ICM (Gaˇzi and Maurer, AC’09)

Approach II: Key Whitening

x L

k1

E

k2

L

k3

Ek2 (x ⊕ k1 ) ⊕ k3

Approach II: Key Whitening

x L

kin

E

k

L

kout

DESX [Rivest]

Ek (x ⊕ kin ) ⊕ kout

Approach II: Key Whitening

x L E

L

Ek (x ⊕ k 0 ) ⊕ k 0

k0

DESX [Rivest] k

• Secure up to 2(κ+n)/2 queries in ICM

(Kilian and Rogaway, Crypto’96)

k

0

Approach II: Key Whitening

x L E

L

Ek (x ⊕ k 0 ) ⊕ k 0

k0

DESX [Rivest] k

• Secure up to 2(κ+n)/2 queries in ICM

(Kilian and Rogaway, Crypto’96)

k

0

• Also secure if kin = kout

Can we do better?

y E0

x k0 E

Ek (x) Ek0 0 (y)

k

So far ... • no constructions secure beyond

2κ+min{κ/2,n/2} queries

• security beyond 2max{κ,n} requires 3 BC

queries

Can we do better?

y E0

x k0 E

Ek (x)

k

So far ... • no constructions secure beyond

2κ+min{κ/2,n/2} queries

• security beyond 2max{κ,n} requires 3 BC

queries

Ek0 0 (y)

What can be achieved with at most 2 queries to E?

Outline

Block Ciphers and Key-Length Extension

Existing Approaches

Our Generic Attacks

Our Construction

Outline

Block Ciphers and Key-Length Extension

Existing Approaches

Our Generic Attacks

Our Construction

One Query Is Not Enough Any one-query construction can achieve at most 2max{κ,n} security! y E0

x k0 E

Ek (x) Ek0 0 (y)

k

One Query Is Not Enough Any one-query construction can achieve at most 2max{κ,n} security! y E

0

• Assuming ∀k 0 : y 6= y 0 ⇒ x 6= x 0

x k0 E

Ek (x) Ek0 0 (y)

k

One Query Is Not Enough Any one-query construction can achieve at most 2max{κ,n} security! y E

0

• Assuming ∀k 0 : y 6= y 0 ⇒ x 6= x 0

x k0 E

Ek (x) Ek0 0 (y)

k

Given O ∈ {EK0 0 [E ](·), P(·)}:

One Query Is Not Enough Any one-query construction can achieve at most 2max{κ,n} security! y E

0

• Assuming ∀k 0 : y 6= y 0 ⇒ x 6= x 0

x, x ... k0 E

Ek (x) Ek0 (y)

k .. .

Given O ∈ {EK0 0 [E ](·), P(·)}: 1. 2(n+κ)/2 random distinct queries (xj , kj ) to E

One Query Is Not Enough Any one-query construction can achieve at most 2max{κ,n} security! y, . . . E

0

• Assuming ∀k 0 : y 6= y 0 ⇒ x 6= x 0

x K0 E

Ek (x) Ek0 0 (y)

k

Given O ∈ {EK0 0 [E ](·), P(·)}: 1. 2(n+κ)/2 random distinct queries (xj , kj ) to E 2. 2(n+κ)/2 distinct queries yi to O

One Query Is Not Enough Any one-query construction can achieve at most 2max{κ,n} security! y E

0

• Assuming ∀k 0 : y 6= y 0 ⇒ x 6= x 0

x k0 E

Ek (x) Ek0 0 (y)

k

Given O ∈ {EK0 0 [E ](·), P(·)}: 1. 2(n+κ)/2 random distinct queries (xj , kj ) to E 2. 2(n+κ)/2 distinct queries yi to O 3. ∀k 0 : zi ← Ek0 0 [E ](yi ) if E -value available

One Query Is Not Enough Any one-query construction can achieve at most 2max{κ,n} security! y E

0

• Assuming ∀k 0 : y 6= y 0 ⇒ x 6= x 0

x k0 E

Ek (x) Ek0 0 (y)

k

Given O ∈ {EK0 0 [E ](·), P(·)}: 1. 2(n+κ)/2 random distinct queries (xj , kj ) to E 2. 2(n+κ)/2 distinct queries yi to O 3. ∀k 0 : zi ← Ek0 0 [E ](yi ) if E -value available ?

check zi = O(yi )

• if O = EK0 0 : succeeds for k 0 = K 0 • if O = P: fails

One Query Is Not Enough Any one-query construction can achieve at most 2max{κ,n} security! y E

0

• Assuming ∀k 0 : y 6= y 0 ⇒ x 6= x 0

x k0 E

Ek (x) Ek0 0 (y)

k

Given O ∈ {EK0 0 [E ](·), P(·)}: 1. 2(n+κ)/2 random distinct queries (xj , kj ) to E 2. 2(n+κ)/2 distinct queries yi to O 3. ∀k 0 : zi ← Ek0 0 [E ](yi ) if E -value available ?

check zi = O(yi )

• if O = EK0 0 : succeeds for k 0 = K 0 • if O = P: fails

• Non-injective queries do no better

How About Two Queries? y E0

x k0 E t u

E v

Ek0 0 (y)

How About Two Queries? y E0

A natural class of 2-query constructions can achieve at most 2κ+n/2 security.

x k0 E t u

E v

Ek0 0 (y)

How About Two Queries? y E0

A natural class of 2-query constructions can achieve at most 2κ+n/2 security.

x k0 E

• Constructions with “injective queries”: t u

E v

Ek0 0 (y)

∀k 0 :

∀k 0 :

y 6= y 0 ⇒ x 6= x 0

t 6= t 0 ⇒ u 6= u 0

How About Two Queries? y E0

A natural class of 2-query constructions can achieve at most 2κ+n/2 security.

x k0 E

• Constructions with “injective queries”: t u

∀k 0 :

∀k 0 :

y 6= y 0 ⇒ x 6= x 0

t 6= t 0 ⇒ u 6= u 0

E v

Ek0 0 (y)

for security There is room hieve it! increase, we ac

Outline

Block Ciphers and Key-Length Extension

Existing Approaches

Our Generic Attacks

Our Construction

Outline

Block Ciphers and Key-Length Extension

Existing Approaches

Our Generic Attacks

Our Construction

The Double XOR-Cascade x z

E

k

z

E

Eek (Ek (x ⊕ z) ⊕ z)

e k

Definition 2XORk,z [E ](x) := Eke (Ek (x ⊕ z) ⊕ z)

The Double XOR-Cascade x z

E

k

z

E

Eek (Ek (x ⊕ z) ⊕ z)

e k

Definition 2XORk,z [E ](x) := Eke (Ek (x ⊕ z) ⊕ z) • Same key z in both whitening steps

The Double XOR-Cascade x z

E

k

z

E

Eek (Ek (x ⊕ z) ⊕ z)

e k

Definition 2XORk,z [E ](x) := Eke (Ek (x ⊕ z) ⊕ z) • Same key z in both whitening steps

e derived from k e.g. by a bit-flip • k

The Double XOR-Cascade x z

E

k

z

E

Eek (Ek (x ⊕ z) ⊕ z)

e k

Definition 2XORk,z [E ](x) := Eke (Ek (x ⊕ z) ⊕ z) • Same key z in both whitening steps

e derived from k e.g. by a bit-flip • k

y ke

h gt n e l

κ

+

n

The Double XOR-Cascade x z

E

k

z

E

Eek (Ek (x ⊕ z) ⊕ z)

e k

Definition 2XORk,z [E ](x) := Eke (Ek (x ⊕ z) ⊕ z) • Same key z in both whitening steps

e derived from k e.g. by a bit-flip • k

h gt n e l

κ

+

n

y ke

Main Result Double XOR-Cascade is secure up to 2κ+n/2 queries.

A Glimpse at the Proof Z

E

0/1

E

P

0/1

E

Z

E

The Initial Setting
∆D (E , P) , (E , 2XORK ,Z [E ])

K

e K

A Glimpse at the Proof Z

E

0/1

E

P

0/1

E

Z

E

The Initial Setting
∆D (E , P) , (E , 2XORK ,Z [E ])

Goal: ∆D small if < 2κ+n/2 queries

K

e K

A Glimpse at the Proof Z

E

0/1

E

P

0/1

E

Z

E

The Initial Setting
∆D (E , P) , (E , 2XORK ,Z [E ])

Goal: ∆D small if < 2κ+n/2 queries

K

e K

Main Steps • Reduce to a simpler

combinatorial problem

• Show it is hard

A Glimpse at the Proof (2) The New Problem: Distinguishing Permutations

A Glimpse at the Proof (2) The New Problem: Distinguishing Permutations

0/1

P1

Independent • P1 , P2 independent uniformly random permutations

P2

A Glimpse at the Proof (2) The New Problem: Distinguishing Permutations

0/1

P1

Independent • P1 , P2 independent uniformly random permutations

P2

0/1

Q1

Q2

Correlated • Q1 , Q2 random perms s.t. for a random secret Z ∀x : Q2 (Q1 (x ⊕ Z ) ⊕ Z ) = x

A Glimpse at the Proof (2) The New Problem: Distinguishing Permutations

0/1

P1

P2

Independent • P1 , P2 independent uniformly random permutations

Q1

0/1

Q2

Correlated • Q1 , Q2 random perms s.t. for a random secret Z ∀x : Q2 (Q1 (x ⊕ Z ) ⊕ Z ) = x

Hard for < 2n/2 queries!

Details Are Important x z

E

E

Ek2 (Ek1 (x ⊕ z))

k1

x x E

k1 E

k1

E

k2

z

k2

E

k2

Ek2 (Ek1 (x) ⊕ z)

z Ek2 (Ek1 (x)) ⊕ z

Details Are Important x z

E

k1

x x E

k1 x

E E

Ek2 (Ek1 (x ⊕ z))

k1

z

k2

E

k2

z1

E

Ek2 (Ek1 (x) ⊕ z)

k2

E

k1

E

k2

z Ek2 (Ek1 (x)) ⊕ z z2 Ek2 (Ek1 (x ⊕ z1 )) ⊕ z2

Details Are Important x z

E

k1

x x E

k1 x

E E

Ek2 (Ek1 (x ⊕ z))

k1

z

k2

E

k2

z1

max ed in 2 Can be attack

E ,n} {κ

Ek2 (Ek1 (x) ⊕ z)

k eries! qu 2

E

k1

E

k2

z Ek2 (Ek1 (x)) ⊕ z z2 Ek2 (Ek1 (x ⊕ z1 )) ⊕ z2

Summary x z

• New key-length extending construction for

block ciphers

E

k

• more efficient than triple encryption

(2 BC queries per invocation)

z

• more secure than triple encryption

(Triple cascade: up to 2κ+min{κ/2,n/2} ) (Double XOR-cascade: up to 2κ+n/2 )

E

Eek (Ek (x ⊕ z) ⊕ z)

e k

Summary x z

• New key-length extending construction for

block ciphers

E

k

• more efficient than triple encryption

(2 BC queries per invocation)

z

• more secure than triple encryption

(Triple cascade: up to 2κ+min{κ/2,n/2} ) (Double XOR-cascade: up to 2κ+n/2 )

E

e k

Eek (Ek (x ⊕ z) ⊕ z)

• Generic attacks supporting optimality • one-query constructions insecure above 2max{κ,n} • “injective” two-query constructions insecure above 2κ+n/2

Summary x z

• New key-length extending construction for

block ciphers

E

k

• more efficient than triple encryption

(2 BC queries per invocation)

z

• more secure than triple encryption

(Triple cascade: up to 2κ+min{κ/2,n/2} ) (Double XOR-cascade: up to 2κ+n/2 )

E

e k

Eek (Ek (x ⊕ z) ⊕ z)

• Generic attacks supporting optimality • one-query constructions insecure above 2max{κ,n} • “injective” two-query constructions insecure above 2κ+n/2

Thank you!