Ehe: nonce misuse-resistant message authentication Текст научной статьи по специальности «Математика»

2018 Математические методы криптографии №39

МАТЕМАТИЧЕСКИЕ МЕТОДЫ КРИПТОГРАФИИ

UDC 519.7

EHE: NONCE MISUSE-RESISTANT MESSAGE AUTHENTICATION

S.V. Agievich Belarusian State University, Minsk, Belarus

We propose a nonce misuse-resistant message authentication scheme called EHE (Encrypt-Hash-Encrypt). In EHE, a message-dependent polynomial is evaluated at the point which is an encrypted nonce. The resulting polynomial hash value is encrypted again and becomes an authentication tag. We prove the prf-security of the EHE scheme and extend it to two authenticated encryption modes which follow the "encrypt-then-authenticate" paradigm.

Keywords: message authentication, authenticated encryption, polynomial hashing, prf-security.

DOI 10.17223/20710410/39/3

Introduction

Let F be a finite field of N ^ 1 elements. Polynomial hashing over F is defined as follows. A message X to be hashed is transformed into a polynomial fx (A) G F [A], this polynomial is evaluated at some point H G F, the result of evaluation becomes a hash value of X. Further we suppose that the polynomial fx has positive degree, its constant term equals 0, different messages are transformed into different polynomials. Usually the message X is divided into blocks which determine the coefficients of fx. The shorter X, the lower the degree of fx. Let messages be rather short and deg fx ^ d ^ N.

If H is chosen uniformly at random from F, then the hash values of different messages X and X' coincide with only small probability:

d

P{fx(H) = fx(H)} = P{H is a root of fx - fx} ^ ^ (1)

This simple fact supports security of message authentication schemes based on polynomial hashing. Possibly the most well-known scheme of this type was proposed by M. Wegman and J. Carter in [1] and refined by V. Shoup in [2]. Following [3], we call it WCS, by the first letters of the authors' names.

The WCS scheme was successfully used in GCM, a widely deployed authenticated encryption (AE) mode. GCM was introduced in [4] and standardized in [5]. Recall that an AE mode augments an authentication scheme with encryption one.

Describe WCS with inessential simplifications. The point H becomes a random secret key. The additional key is a random permutation n acting on F. An authentication tag T (a key-dependent hash value) of X is calculated using a unique nonce S G F as follows:

T = fx (H )+ n(S).

To instantiate WCS, n is usually chosen as an encryption permutation of some block cipher and H is usually a result of encryption of a fixed element c E F using n. This is how WCS is instantiated in GCM.

The uniqueness of nonces is essential. Indeed, if the tags T = fx(H) + n(S) and T' = = fX'(H) + n(S') are calculated with X = X' but S = S', then an adversary can effectively determine H as one of the roots of the polynomial equation fX(H) — fX/(H) = T — T'. After determining H, the adversary finds n(S) = T — fX(H) and then can calculate the tag T'' = fx--(H) + n(S) of any X''.

The described situation, the significant loss of security after some event, we call the security collapse. Message authentication schemes collapse in different ways. For example, in the schemes of type CBC-MAC (see, for example, [6]) an internal collision, which occurs after processing about y/N message blocks, allows to perform a selective forgery, that is, to forge tags of special messages. For comparison, WCS collapses much more seriously: universal forgery after only a single nonce repetition.

In the mentioned standard [5] nonce repetition is considered as misuse of GCM. The standard proposes to solve the misuse problem at the cryptoengineering layer. But it is preferable to solve such problems cryptographically, by designing authentication schemes or AE modes which security does not collapse so much after nonce repetition. Such schemes and modes are called nonce misuse-resistant.

The GCM mode follows the "encrypt-then-authenticate" paradigm. In this paradigm the nonce misuse-sensitive scheme WCS cannot provide misuse-resistance of the whole mode. Resistance appears if we turn the paradigm into "authenticate-then-encrypt" keeping WCS. This approach was successfully implemented in the GCM-SIV mode [7]. Unfortunately, due to the paradigm shift, GCM-SIV requires an additional pass over the protected data.

In this paper we propose another approach: strengthening the basic message authentication scheme. In Section 1 we introduce a nonce misuse-resistant scheme called EHE. We justify its security and then, in Section 2, discuss details of its instantiation based on a block cipher. In Section 3 we extend EHE to AE modes which preserve the "encrypt-then-authenticate" paradigm. We denote these modes as AE[EHE]. Note that the first mode was standardized in [8] under the name belt-datawrap. We accompanied it with a rather cumbersome proof of security. In this paper the proof is drastically simplified.

1. The EHE scheme

In the proposed EHE scheme, a key is a pair of permutations n1 and n2 acting on F. A message X to be authenticated is represented by a polynomial fX which satisfies the previous restrictions. A tag T is calculated using a nonce S E F as a value of the following function:

p[ni,n2](X, S) = nfx(ni(S))).

In this function we start with the permutation n1, continue with polynomial hashing and finish with the permutation n2. The permutations mean block encryption, so we deal with the Encrypt-Hash-Encrypt cascade or EHE in short.

In contrast to WCS, the polynomials fx are evaluated not in a fixed point H = n(c) but generally in different points H = n1(S). It is well known (see, for example, [9, Theorem 6.13]) that the polynomial #(A, A') = fx(A) — fx (A') E F[A, A'] has at most degg • N = max(deg fx, deg fx-)N roots in F2. Therefore, for independent random H, H', each uniformly distributed over F, and for arbitrary messages X, X' it holds that

P{fx(H) = fx-(H')} < max(deg fN2deg fx-)N < N

This bound forms the basis of our security proofs of EHE. More precisely, we use the slightly stronger bound:

d

Pr{/x(H) = fx (H') | H = H'} ^ N (2)

It followed from the fact that the polynomial g(A, A') has at most d(N — 1) roots (H, H') such that H = H'. Indeed, the substitution A' = A + ^ transforms g into a polynomial g'(A,^). A number of the suitable roots of g is the number of roots of g' with a nonzero last coordinate. This coordinate can be chosen in N — 1 ways. Each choice ^ = c yields the univariate polynomial g'(A,c) which has at most d roots.

Let us justify the prf-security of EHE, that is, the indistinguishability of , n2] from a truly random (ideal) message authentication function. The indistinguishability means that ^[n1,n2] is pseudorandom (it "looks" like random) or prf in short. Let an adversary (a probabilistic algorithm) have access to a message authentication oracle G which on a query (X, S) gives a response T. The oracle implements either the function ^[n1,n2] (a real implementation) or a truly random function p (an ideal implementation). In the real implementation, the permutations n1, n2 are chosen independently uniformly at random from the set of all permutations on F. In the ideal implementation, the oracle, given a new query, chooses a response T uniformly at random from F independently of previous responses. The adversary can make arbitrary queries, can collect and analyze the corresponding responses. Its task is to determine which function G implements. The adversary returns 1 if it is ,n2], or 0 if it is p. Let AG be the output of A.

The quality of A's distinguishing capabilities is characterized by the advantage

AdvErHfE(A) = | P{A^[n1 >n2l = 1} — P{AP = 1}|.

The probabilities here are over the random tape of A and over the random choice of n1, n2 and p. If AdvErHE(A) is small then the adversary is hard to distinguish ^[n1,n2] from p.

Theorem 1. Let EHE be built over a field of N elements. Let an adversary A make at most q queries (X, S) and messages X in these queries be such that deg /x ^ d. Then

prf ^ / q(q — 1)d

AdvpErHE(A) ^

2N

Proof. Let (X1,S1 ),..., (Xq, Sq ) be different queries and Ti,...,Tq be different elements of F (potential responses). It is sufficient to prove that

p = PMni,n2](X, Si) = Ti : i = l,...,q} ^ Nq (1 - e), e = g(g ~ ^ ~ ^ .

Indeed, then using the H-coefficients technique [10] or, more precisely, Theorem 1 from [11], we obtain

AdvgE(A) ^ +e=^.

ehei ^ 2N 2N

Let Hi = n1(Si) and Yi = fXi(Hi), i = 1,... ,q. Introduce the event D1 that all Yi are distinct and the event D2 that n2(Yi) = Ti for each i. Let us estimate the probabilities P{D1} and P{D2 | D1}. They are correspondingly determined by the random choice of n1 and n2. The estimates (1), (2) imply

P{Y = Y} = P{fXi(n1(Si)) = fxj(n1(Sj))} = P{fXi(Hi) = fXj(Hj)} ^ -

d

N

regardless of whether Sj and Sj coincide or not. Indeed, if Sj = Sj then Hj = Hj is uniformly distrubuted over F and (1) works. If Sj = Sj then (Hj,Hj) is uniformly distributed over F2 \ {(a, a): a E F} and (2) works. In whole,

P{Di} ^ 1 — E P{Yj = Yj} ^ 1 —

i<j<j<q

q(q — 1)d

2N .

Denote by N[q] the qth factorial power of N:

N[q] = N(N — 1)... (N — q + 1) = Nq n 1 — ^ ^ Nq 1 —

q-1 / i \ , q(q — 1)

j=0

N

2N

We have

and

P{D2 | Di}

1

1 > + q(q—

N M Nq

p ^ P{D2 |Di} P{Di} ^ — 1 +

Nq

q(q — 1)

2N

2N

1 — q(q — 1)A ^ J_(1 — £) 2N / ^ N^ ;

which was to be proved.

The theorem implies that the EHE authentication remains prf-secure as long as the number of messages processed by a single key is well below \JN/d. The prf-security is the strongest property of the message authentication schemes. In particular, it implies the security against forgery attacks. In these attacks an adversary interacts with G = ^[ni,n2] making arbitrary queries and getting corresponding responses. The adversary's aim is to predict a response to a query that has not been made yet.

Both permutations ni and n2 in EHE are necessary. Confirm this fact in the context of the forgery attacks. If ni is omitted, then an adversary can effectively find different messages X and X' with the same hash values fx(S) and fx- (S). Then using a tag T = = n2 (fx(S)) of X the adversary determines the tag T' = T of X' without a query. If n2 is omitted, then an adversary finds H = ni(S) from T = fx(H) and determines the tag T' = fx- (H) of arbitrary X', again without a query.

The theorem means that EHE preserves security even if nonces repeat. In principle, EHE can be used with a fixed nonce S = c. But in this case the security is collapsed in the following sense. As soon as an adversary finds a collision of tags T and T' of different messages X and X', it obtains the polynomial equation fx(H) = fx- (H) in H = ni(c). After determining H, the adversary constructs a new message X'' such that fx-- (H) = fx (H) and determines its tag T'' = T without a query. Note that the collision T = T' is expected to occur and EHE is expected to collapse after about vN queries to the authentication oracle. This fact does not contradict to the bound of the theorem.

To determine H the adversary first finds roots of the polynomial fx (A) — fx- (A) (let us ignore the time required) and then checks each of them to localize the right one. To check a root it is necessary to make a special query, for example, (X'',S). Let M be the number of different roots. If M is large, then the number of check queries is large too. But if M is small, then the collision probability M/N is small too. Therefore, regardless of M, check-time to collision-probability ratio for the pair (X, X') is of order N.

The situation changes drastically if nonces do not repeat. In this case the collision T = T' means that (H, H') is a root of the bivariate polynomial g(A,A') = fx(A) — fx(A'). Let g

M

have M different roots. There are at least —r different coordinates of these roots and time

2d

MM

to check is of lower order —-. The collision occurs with the probability 1.T,1.T-r and

d N (N — 1)

N 2

check-time to collision-probability ratio of the pair (X, X') is of lower order ——, that is, it dramatically increases comparing to the previous situation.

2. Instantiation

Instead of two secret permutations it is convenient to use only one, say n, and derive n and n2 from it. We are interested in two variants (instantiation templates) of such deriving: (ni,n2) = (n,n) and (n,n2) = (n2,n). The first template is clearly natural, the second one will be used in the following section while extending EHE to AE[EHE]. Let, as usual, n be chosen uniformly at random from the set of all permutations on F.

Theorem 2. Let EHE be built over a field of N elements with (n1,n2) = (n,n). Let an adversary A make at most q queries (X, S) and messages X in these queries be such that deg /x ^ d. Then

AdvpErHE(A) ^ 2N .

Proof. Modify the previous proof. Let the event D1 suppress not only the collisions Y = Yj but also the collisions Y = Sj and Tj = Hj. Additional restrictions mean that every pair (Y,Tj) is fresh, that is, n2 can map Y to Tj despite the facts that Hj = n1(Sj) and n1 = n2.

There are q2 additional collisions of each type, their probabilities are

d

P{Y = Sj} = P{/x(n1(Si)) = Sj} = P{n1(Si) is a root of /x — Sj} ^ P{Tj = Hj } = P{n1 (Sj )= Tj} = 1.

prf ^ / q(3q - l)d

In whole,

N

q(q - 1)d q2d q2 q(3q - 1)d + 2q2

P(Di} ^ 1 - ^-^ = 1 -

2N N N 2N

The event D1 fixes no more than q different pairs (a preimage Sj, an image Hj) of n1 = n. So there are at least (N — q)^ ways to determine images of n2 = n for the q additional preimages Y1,..., Yq and only one of these ways is suitable, that is, T1,..., Tq. Repeating the estimation technique of the previous proof, we obtain

P{D2|D1} s 1 fi + q<3q — 1)

(N — q)[q^ N® V 2N Combining the bounds on P{D1} and P{D2 | D1} completes the proof. ■

The permutation n can be interpreted as an ideal implementation of a block encryption oracle E. It is an internal oracle of EHE to which A does not have a direct access. A real implementation of E is a permutation uniformly at random chosen from a family F of permutations acting on F. This family is called a block cipher. The index K above is a random key of this cipher. Let EHE[F] be the EHE scheme with the described instantiation of E.

The advantage of A against EHE[F] is defined and estimated in the following way:

AdvpErHE[F](A) = | P{A^[Fk,Fk] = 1} — P{AP = 1}| ^ ^ AdvErHfE(A) + | P{A^[Fk'Fk] = 1} — P{A^[n'n] = 1}|.

The last summand characterizes the quality of distinguishing of E, that is, differentiating between its real implementation FK and its ideal implementation n. The advantage of an adversary B which distinguish E is defined similar to the advantage of A:

AdvFrp(B) = |P{BFk = 1} — P{Bn = 1}| .

Let AdvFrp(t, q) be the maximum of AdvFrp(B) over all B which run in time at most t and make at most q queries to E.

The adversary B can use A to distinguish E. To do this, B simulates the oracle G = <^[E,E] which responses E(/X(E(S))) to (X, S) the adversary determines making two queries to E and one polynomial hashing. The adversary B grants A access to the simulated oracle, waits for the output from A and returns this output as its own. The simulation of G needs q* = 2q queries to E and time t* = O(qd).

If A runs in time t, then

| p{a^[Fk>Fk] = 1} — P{A^[n,n] = 1}| = AdvFrp(B) ^ AdvFrp(q*,t +1*) and, in whole,

AdvErHfE[F](A) ^ AdvErHfE(A) + AdvFrp(q*,t + t*).

The arguments above are standard in provable security. The last estimate can be used to continue all our further theorems. In such a continuation one should only refine q* (the total number of A's indirect queries to the internal oracle E) and t* (time to simulate G over E).

3. The AE[EHE] modes

The permutation n can be used not only to instantiate EHE, but also to manage encryption, that is, to extend EHE to AE[EHE]. In this section we provide two modes of authenticated encryption based on EHE. In both modes plaintexts and ciphertexts are considered as words in the alphabet F.

A plaintext is encrypted in the counter mode using a full-cycle permutation next acting on F. A nonce S is used to calculate H = n(S) and then the sequence C1 = next(H), C2 = next(C1) = next2(H),... of counters. The encrypted counters rk = n(Ck) are added to the plaintext symbols during encryption or subtracted from the ciphertext symbols during decryption. An adversary can get n(Ck) (it can subtract a known plaintext from an intersected ciphertext) but not Ck.

The obtained ciphertext and arbitrary additional data form a message X which is authenticated using EHE. Since deg /x ^ d, the length of the plaintext cannot exceed d and at most d symbols rk are sufficient for encryption.

We cannot justify the security of AE[EHE] in the general case if the template (n1, n2) = = (n,n) is used. It is due to possible similarities between /x and nextk. For example, if /x and nextk act identically, then an adversary can predict T = n(/x(n(S))) using rk = n(nextk(n(S))) = T. We should either impose restrictions on next or change the template.

Start with the second option. The simplest suitable template is (ni,n2) = (n2,n). It separates a preimage n2(S) of from a preimage n(S) of nextk and makes similarities between and nextk ineffective. The whole AE[EHE] mode with the new template can be depicted as follows:

S

ry next , next , ^ next , ^ next ,

zi-> Ci I-> C2 I-> C3 I->

H ri

r2 r3

fx

Y

T

n

n

n

n

n

n

Theorem 3. Let EHE be built over a field of N elements with (n1,n2) = (n2,n). Let an adversary A make at most q queries (X, S) and messages X in these queries be such that deg /x ^ d. Let the adversary in addition to each response T receive at most d first elements of the sequence

r = n(next(n(S))), r2 = n(next2(n(S))),... and let r be the total number of such elements. Then

\ j prf f M ^ q(5q + 2r — 1)d AdvEHE(A) ^-2n-.

Proof. Again modify the previous proof. Let Zj = n(Sj), Hj = n(Zj), Cj,k = nextk(Zj), rj,k = n(Cj,k). In the event D1 suppress the following collisions:

Collisions Quantity Probability (upper bound)

Y — Y- q(q - 1)/2 d/N

Yi — Sj q2 d/N

Yi — Zj q2 d/N

Yi — Cj,k qr d/N

Ti — Zj q2 1/N

Ti — Hj q2 1/N

Ti rj,k qr 1/N

These restrictions guarantee the freshness of the pairs (Yj,Tj). Processing the last two columns of the table, we obtain

q(5q + 2r — 1)d + 4q2 + 2qr { 1} s 2N .

The event D1 fixes at most 2q+r different images of n. Hence there are at least (N — 2q — r)[q] ways to determine q additional images which correspond to the preimages Y1,..., Yq and only one of these ways is suitable. In result,

P{D | Di} >

1 > iA, q(5q + 2r — 1)

(N — 2q — r)[q] > Nq V + 2N

Repeating the estimation technique of the previous proof, we get the result required. ■

The instantiation template (n1,n2) = (n,n) is preferable than (n1,n2) = (n2,n) because it requires one less encryption. As we said before, to securely use the template (n1,n2) = = (n, n), it is necessary to impose restrictions on next. These restrictions should impede the collisions of the form (H) = nextk(H') or even the form (H) = nextk (H'), H = H'.

In this connection, call the permutation next (d, 5)-uniform,, if for any suitable with deg ^ d and each k = 1,..., d it holds that

7 C

P{fx(H) = nextk(H)}, P{fx(H) = nextk(H') | H = H'} ^ -.

Here H and H' are independent random, each uniformly distributed over F.

Example. Consider an affine permutation aff: H m aH + ^, a,^ G F \ {0}. If a is the multiplicative unit of F, then aff is (d, 1)-uniform, the best we can get, but it is a full-cycle only if F is prime. For arbitrary F the permutation aff turns into an almost-full-cycle if a is primitive. Indeed, in this case aff decomposes into a cycle of length N — 1 and a fixed point ^/(1 — a). The probability to fall into the sole fixed point during encryption is negligible and aff can be used in the counter mode without meaningful loss of security.

Theorem 4. Let EHE be built over a field of N elements with (n1,n2) = (n,n). Let an adversary A make at most q queries (X, S) and messages X in these queries be such that deg ^ d. Let the adversary in addition to each response T receive at most d first elements of the sequence r1 = n(next(n(S))), r2 = n(next2(n(S))), ... and let r be the total number of such elements. Let next be (d, 5)-uniform. Then

AdvfA) ^

q(3q + 2r5 — 1)d

2N .

Proof. Modify the proof of Theorem 2. Let Ci,k = nextk(Hj), r^ event D1 suppress the following collisions:

n(Cj,k). In the

Collisions Quantity Probability (upper bound)

Y- — Y- q(q — 1)/2 d/N

Yi — Sj q2 d/N

Yi = Cj,k qr d,S/N

Ti = Hj q2 1/N

Ti rj,k qr 1/N

The result required follows from the estimates:

q(3q + 2r5 — 1)d + 2q2 + 2qr

P{D1} > 1 —

2N

P{D2 | D1} >

1

_> _L(1 + q(3q + 2r — 1)

(N — q — r)[q] > Nq V + 2N

The theorem is proved.

To fully justify the security of the proposed AE[EHE] modes we need to show that it is hard to distinguish from random not only the tags T but also the symbols rk (provided that the nonces S do not repeat). Technically, it can be quite easily done by rebuilding the proofs of Theorems 3 and 4. We leave such rebuilding outside the scope of this paper.

REFERENCES

1. Wegman M. and Carter J. New hash functions and their use in authentication and set equality. J. Comp. and System Sci., 1981, vol.22, pp.265-279.

2. Shoup V. On fast and provably secure message authentication based on universal hashing. CRYPTO'2006, LNCS, 1996, vol.1109, pp. 313-328.

3. Bernstein D. Stronger security bounds for Wegman — Carter — Shoup authenticators. EUROCRYPT'2005, LNCS, 2005, vol.3494, pp. 164-180.

4. McGrew D. A. and Viega J. The security and performance of the Galois / Counter Mode (GCM) of operation. IND0CRYPT'2004, LNCS, 2004, vol.3348, pp. 343-355.

5. Dworkin M. Recommendation for Block Cipher Modes of Operation: Galois-Counter Mode (GCM) for Confidentiality and Authentication. NIST Special Publication 800-38D, 2007. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf.

6. Rogaway R. Evaluation of Some Blockcipher Modes of Operation, Cryptography Research and Evaluation Committees (CRYPTREC), 2011. http://www.cryptrec.go.jp/estimation/ techrep_id2012_2.pdf.

7. Gueron S. and Lindell Y. GCM-SIV: full nonce misuse-resistant authenticated encryption at under one cycle per byte. Proc. CCS'15, Denver, CO, USA, 2015, pp. 109-119.

8. STB 34.101.31-2011. Informatsionnye Tekhnologii i Bezopasnost'. Zashchita Informatsii. Kriptograficheskie algoritmy shifrovaniya i kontrolya tselostnosti [Information Technology and Security. Data Encryption and Integrity Algorithms]. Standard of Belarus, 2011. http: //apmi.bsu.by/assets/files/std/belt-spec27.pdf (in Russian)

9. Lidl R. and Niederraiter H. Finite Fields. Cambridge University Press, 1997.

10. Patarin J. Etude des Generateurs de Permutations Bases sur le Sch'ema du D.E.S., Ph.D. Thesis, University of Paris, 1991. (in French)

11. Nandi M. Improved security analysis for OMAC as a pseudorandom function, J. Math. Cryptol., 2009, vol.3, pp. 133-148.