Recent Advances in Authenticated Encryption September 19-22, 2016, Indian Statistical Institute, Kolkata Recent development in AES-GCM authenticated encryption optimization and deployment, and its nonce misuse resistant version GCM-SIV Shay Gueron University of Haifa University of Haifa, Israel Intel Corporation Intel Corporation, Israel Development Center, Haifa, Israel [email protected]AES-GCM / AES-GCM-SIV
55
Embed
Recent Advances in Authenticated Encryptiondebrup/AEworkshop/slides/05... · 2016. 10. 28. · September 19-22, 2016, Indian Statistical Institute, Kolkata Recent development in AES-GCM
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Recent Advances in Authenticated Encryption September 19-22, 2016, Indian Statistical Institute, Kolkata
Recent development in AES-GCM authenticated encryption
optimization and deployment, and its nonce misuse resistant version GCM-SIV
Shay Gueron
University of Haifa
University of Haifa, Israel
Intel Corporation Intel Corporation, Israel Development Center, Haifa, Israel
• With Horner algorithm: 1 field multiplication per block form
Aggregation:
• Pre-compute k powers of H to evaluate the polynomial
• Defer the reduction on once every k polynomial (ring) multiplication
• Operate on x ● H
• Useful choices are k=8 or 6
AES-GCM / AES-GCM-SIV
Interleaving CTR and GHASH
There are two approaches to GCM
– AES-CTR function for encryption + another GHASH function to generate the MAC
– Achieves, at best, the performance of “CTR+GHASH”
– Interleave the calculation of CTR and GHASH in a single function
– Achieves a better performance
– If coded efficiently, can fill the execution pipe to the maximum
AES-GCM / AES-GCM-SIV
Situation today
AES-GCM is a big success
• Ubiquitous (including OpenSSL and NSS)
• Selected for TLS connection by practially all of the major servers
• Some examples: Google, AWS, Dropbox, Coudflare
• All browsers support AES-GCM, and will offer it at handshake if running on a CPU with AES-NI (all 64-bit CPU’s already have it)
• On the latest architecture (Skylake): AES-GCM is as fast as the CTR encryption
AES-GCM / AES-GCM-SIV
Familiarity breeds contempt?
AES-GCM / AES-GCM-SIV
GCM-SIV: Full Nonce Misuse-Resistant Authenticated
Encryption at Under One Cycle per Byte
Appeared at ACM CCS 2015
Shay Gueron University of Haifa
Intel Corp.
Yehuda Lindell Bar-Ilan University
AES-GCM in a nutshell (2) Derive hash key: H = AESK (0128)
Setup initial counter: CTR = IV||031||1
Compute MASK = AESK (CTR)
For j = 1, 2, …,: – CTR = inc32 (CTR); – cj = AESK (CTR) ⊕ mj
– inc32 increments the 32-bit counter inside the 128-bit block
Set X1=a1, … Xr = (ar)’, Xr+1=c1, … Xr+s= (cs)’, Xr+s+1 = (bitlen(M) || bitlen(A)) – All Xj’s are 128-bit blocks (possible 0 padding for (ar)’, (cs)’)
GHASHH = X1 ● Hn ⊕ X2 ● Hn-1 ⊕… ⊕ Xn ● H – n = r+s+1 – “●” = multiplication in GF (2128) [x] / P(x) – P(x) = x128 + x7 + x2 + x + 1 (with reversed order of bits within the bytes)
TAG = GHASHH ⊕ MASK
C = (c1 , c2 , … cs*
)
AES-GCM / AES-GCM-SIV
Repeating a nonce (with the same key)
has a disastrous effect on both privacy and integrity
Why Should an IV Repeat?
Randomness is much harder than it should be
– Intel has RDRAND and RDSEED on all new processors (from Ivy Bridge 2011)
Not used inside Linux /dev/random
AES-GCM / AES-GCM-SIV
Bad Randomness
In 2008, a bug in Debian Linux was found
– In 2006, code that was crucial for RNG reseeding was commented out
AES-GCM / AES-GCM-SIV
Bad Randomness
PlayStation 3
– In 2010, the ECDSA private key used by Sony to sign software for PlayStation 3 was recovered because Sony failed to generate a new random nonce for each signature
AES-GCM / AES-GCM-SIV
RSA Keys – Lenstra et al. 2012
Collected 6.4 million RSA keys from the web
– 71,052 occurred more than once • Different owners can decrypt each other’s traffic • Some of the moduli repeated thousands of times (no entropy)
– 12,934 had a common factor • Computed 𝐺𝐶𝐷(𝑁,𝑁’) where 𝑁 = 𝑝𝑞 and 𝑁’ = 𝑝’𝑞 • Factor both moduli
We use this for entropy estimation
AES-GCM / AES-GCM-SIV
Entropy Estimation via RSA Keys
The expected number of collisions in q samples from a domain of size N is 𝒒𝟐
𝑵 ≈ 𝒒𝟐
𝟐𝑵
We have 𝒒 = 𝟏𝟐, 𝟖𝟎𝟎, 𝟎𝟎𝟎 (number of primes is double)
We have number of collisions = 12,934
So, 𝟏𝟐,𝟖𝟎𝟎,𝟎𝟎𝟎𝟐
𝟐𝑵= 𝟏𝟐, 𝟗𝟑𝟒 giving 𝑵 ≈ 𝟐𝟑𝟐.𝟓𝟔
Conclusion: an “average” of 33 bits of entropy
AES-GCM / AES-GCM-SIV
And recently… • Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS
Randomness can repeat and does repeat, What should we do?
Our goal: an Authenticated Encryption scheme that – Is nonce-misuse resistant (security)
– Enjoys the performance benefits of AES-GCM (performance)
– Uses only small changes over existing standard (easy deployment)
– Can re-use software (and hardware) components (efficiency)
AES-GCM / AES-GCM-SIV
Can we really have the cake and eat it?
YES!
Nonce Misuse Resistance [Rogaway-Shrimpton]
Denote nonce by N
Security property
– If N is same and message is same – the result is the same ciphertext • This is inherent
– Otherwise – full security (authenticated encryption): • Even if N is the same and the message is not • Even if N is different and the message the same
This cannot be achieved for online encryption
– If two long messages differ only in the last bit, when same N is used…
AES-GCM / AES-GCM-SIV
Abstract SIV Encryption [Rogaway-Shrimpton]
Input: message 𝑀 and nonce 𝑁
Step 1:
– Apply a PRF 𝐹 with key 𝐾1 to (𝑁,𝑀); denote result by 𝑇
Step 2:
– Encrypt 𝑀 with key 𝐾2 using nonce 𝑇; denote result by 𝐶
– If nonce 𝑁 is different, then by PRF the value 𝑇 is pseudorandom
– If nonce 𝑁 is the same but 𝑀 is different, then by PRF the value 𝑇 is pseudorandom
– The value 𝑇 also serves as a valid MAC and so have authenticated encryption
AES-GCM / AES-GCM-SIV
Efficient Instantiations
Option 1 – apply a PRF based on AES
– What PRFs do we have? CBC-MAC
– Very expensive
Option 2 – construct a more efficient PRF using simpler primitives
– Let 𝐻 be an 𝜖-XOR universal hash function ∀𝑥, 𝑦, 𝑧∶ Pr 𝐻𝐾1 𝑥 ⊕𝐻𝐾1 𝑦 = 𝑧 ≤ 𝜖 𝑛
Claim: 𝐹𝐾1,𝐾2 𝑁,𝑀 = 𝐹𝐾2 𝐻𝐾1 𝑀 ⊕𝑁 is a PRF
AES-GCM / AES-GCM-SIV
Universal-Hash Based PRF
The construction: 𝐹𝐾1,𝐾2 𝑁,𝑀 = 𝐹𝐾2 𝐻𝐾1 𝑀 ⊕𝑁
Proof idea:
– By the PRF property of 𝐹, can distinguish only if it queries 𝑁,𝑀 , 𝑁′,𝑀′ where 𝐻𝐾1 𝑀 ⊕𝑁 = 𝐻𝐾1 𝑀′ ⊕𝑁′
– Equivalently: if 𝐻𝐾1 𝑀 ⊕𝐻𝐾1 𝑀′ = 𝑁⊕𝑁′
– By the 𝜖-XOR property, this happens with probability only 𝜖 for each pair
– Therefore, secure PRF for negligible 𝜖
AES-GCM / AES-GCM-SIV
The GCM-SIV Instantiation
The GHASH function H in GCM is an 𝜖-XOR universal hash function (for negligible 𝜖) [McGrew-Viega] we use an improved contruction
The PRF used is AES (only need a single block)
Encryption is AES-CTR
Versions:
– Three different keys (for GHASH, PRF, CTR-ENC)
– Two keys: use same key for PRF and CTR-ENC
– One key: derive the two keys using AES itself
AES-GCM / AES-GCM-SIV
The GCM-SIV Instantiation
A very important property:
all the elements here are identical to the existing AES-GCM
– We only change the order of operations using the Synthetic IV paradigm
– MAC first, mix result with IV, then encrypt
Why is this important?
– Efficiency
– Deployment ease (use existing code bases)
AES-GCM / AES-GCM-SIV
GCM-SIV (context)
Input:
– 2 Keys: K, H
– Nonce (N) • assume 95 bits
– A: associated data (a1, a2, …, ar*)
– M: plaintext (m1, m2, …, ms*)
• s ≤ 232-1 ; ar* and ms
* are not necessarily full 128-bit blocks
AES-GCM / AES-GCM-SIV
The single key variant uses input key K0 to derive: H = AESK0 (0128), K = AESK0 (0
127 || 1)
Output:
– Ciphertext: C (c1, c2, …, cs*)
– Authentication tag: TAG
Definition:
– POLYVALH (X1 || X2||…|| Xn) = X1 ● Hn ⊕ X2 ● Hn-1 ⊕… ⊕ Xn ● H • “●” = multiplication in GF (2128) [x] / P(x); P(x) = x128 + x127 + x126 + x121 + 1 • Can be the same as GHASH (if bits are reversed) but does not have to
• Detailed specifications, reference code and Open Source optimized code implementations coming soon • Submitting GCM-SIV to IEFT’s Crypto Forum Research Group (CFRG) as an RFC
• Unpatented • We hope to see it adopted
AES-GCM / AES-GCM-SIV
Enhanced AES-GCM-SIV (CFRG submission)
AES-GCM / AES-GCM-SIV
AES-GCM-SIV 128 flow (encryption) – Input:
• in_AAD, in_MSG • K, N
– Message / AAD padding: • AAD = Pad in_AAD to d blocks • MSG = pad in_MSG to n blocks (M1 || M2 || M3 … ||Mn) • Define LENBLK • Padded AAD/MSG = AAD||MSG||LENBLK (consists of d+n+1 blocks)
– Calculate: • Record_Hash_key = AESK (N) • Record_Enc_key = AESK (Record_Hash_key ) • T = POLYVALRecord_Hash_Key (AAD||MSG||LENBLK) • TAG = AESRecord_Enc_key (0||T[126:0]) • CTRBLKi = 1||TAG[126:32]||TAG[31:0] i (i is 32 bit long. i = 0,1 ... i< 232 -1 ) • CTi = AESRecord_Enc_key (CTRBLKi ) ⊕ Mi • Define CT = (CT1 , CT2 , … CTn ) • If length(in_MSG) != length(CT) - chop lsbits of CT so that
– Calculate: • Record_Hash_key[127:0] = AESK (N) (AES= AES 256) • Record_Enc_key[255:128] = AESK (Record_Hash_key) (AES= AES 256) • Record_Enc_key [127:0] = AESK (Record_Enc_key[255:128]) (AES= AES 256) • T = POLYVALRecord_Hash_key (AAD||MSG||LENBLK) • TAG = AESRecord_Enc_key (0||T [126:0]) (AES= AES 256) • CTRBLKi = 1||TAG[126:32]||TAG[31:0] i (i is 32 bits long. i = 0,1 ... i< 232 -1 ) • CTi = AESRecord_Enc_key (CTRBLKi ) ⊕ Mi (AES= AES 256) • Define CT = (CT1 , CT2 , … CTn ) • If length(in_MSG) != length(CT) - chop lsbits of CT so that
length(in_MSG) == length(CT)
– Output: • CT = (CT1 , CT2 , … CTn ) • TAG
AES-GCM-SIV CFRG Meeting 48
- addition modulo 232
AES-GCM-SIV 128 flow (encryption)
AES-GCM-SIV CFRG Meeting 49
AAD MSG
LENBLK
Alen Input: Mlen N K
Padded_AAD Padded_MSG
T
Record_Enc_Key
AES
POLYVAL
AES
MSB Zeroed
AES
CTi TAG Output: AES = AES128 - addition modulo 232
CTRBLKi= 1||TAG[126:32]||TAG[31:0] i
Record_Hash_key
AES
AES-GCM-SIV 256 flow (encryption)
AES-GCM-SIV CFRG Meeting 50
AAD MSG
LENBLK
Alen Input: Mlen N K
Padded_AAD Padded_MSG
T
Record_ENC_KEY[255:128]
AES
POLYVAL
AES
MSB Zeroed
AES
CTi TAG Output:
AES
Record_ENC_KEY[127:0]
AES = AES256 - addition modulo 232
CTRBLKi= 1||TAG[126:32]||TAG[31:0] i
Record_Hash_Key
AES
AES-GCM-SIV 128 Performance (in C/B)
AES_GCM_SIV_Encryption (128 bit)
1KB 2KB 4KB 8KB 16KB
HSW 1.78 1.50 1.37 1.31 1.27
BDW 1.35 1.12 1.01 0.95 0.92
SKL 1.32 1.12 1.02 0.98 0.95
AES_GCM_SIV_Decryption (128 bit)
1KB 2KB 4KB 8KB 16KB
HSW 1.88 1.50 1.38 1.29 1.26
BDW 1.30 1.00 0.88 0.80 0.68
SKL 1.09 0.85 0.74 0.68 0.66
AES-GCM-SIV CFRG Meeting 51
GCM-SIV 256 Performance (in C/B)
AES_GCM_SIV_Encryption (256 bit)
1KB 2KB 4KB 8KB 16KB
HSW 1.90 1.89 1.70 1.61 1.56
BDW 1.83 1.48 1.31 1.23 1.19
SKL 1.75 1.46 1.32 1.25 1.22
AES_GCM_SIV_Decryption (256 bit)
1KB 2KB 4KB 8KB 16KB
HSW 2.22 1.77 1.70 1.61 1.56
BDW 1.72 1.32 1.31 1.23 1.19
SKL 1.36 1.10 0.32 1.25 1.22
AES-GCM-SIV CFRG Meeting 52
GCM-SIV Short Messages Performance[Cycles]
AES_GCM_SIV 128 bit (encryption)
AES_GCM_SIV 256 bit (encryption)
AES-GCM-SIV CFRG Meeting 53
Input Size 16B 32B 64B
HSW 514 569 658
BDW 476 515 573
SKL 342 356 422
Input Size 16B 32B 64B
HSW 310 348 483
BDW 287 306 419
SKL 213 243 354
References
• S. Gueron, Y. Lindell, GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte, 22nd ACM Conference on Computer and Communications Security, 22nd ACM CCS: pages 109-119, 2015.
• AES-GCM-SIV CFRG Spec:
• S. Gueron, University of Haifa and Intel Corporation Intended, A. Langley, Y. Lindell Bar Ilan University (August 29, 2016)