OMD version 2 - Nanyang Technological Universitydiac2015/slides/diac2015_15_omd.pdf · OMD version 2.0 Reza Reyhanitabar Design Team: Simon Cogliani, Diana Maimut, David Naccache

OMD version 2.0

Reza Reyhanitabar

Design Team:Simon Cogliani, Diana Maimut, David Naccache (ENS, France)Rodrigo Portella do Canto (Paris II - Panthéon-Assas University, France)Reza Reyhanitabar, Serge Vaudenay, Damian Vizár (EPFL, Switzerland)

DIAC 2015: DIRECTIONS IN AUTHENTICATED CIPHERS, 28-29 SEPTEMBER 2015, SINGAPORE

CAESAR candidate OMD

OMD stands for Offset Merkle–Damgård

Compression function-based mode of operation for AEAED

Notable Features: High security level

127-bit security using sha-256

255-bit security using sha-512

Provable security (based on a well-studied standard security assumption)

If the compression function keyed via its message input is PRF then OMD is a secure AEAD.

2DIAC 2015: DIRECTIONS IN AUTHENTICATED CIPHERS, 28-29 SEPTEMBER 2015, SINGAPORE

Nonce-based Authenticated Encryption with Associated Data

Enc

K

N

M

AD

Dec

K

N

C

AD

C MOr ⊥

N: Nonce (public message number)M: Plaintext that needs to be encrypted and authenticatedAD: Associated data that needs to be authenticated, but must not be encryptedC: CiphertextK: Secret Key

3

The Security Goal(s)

𝐀𝐝𝐯Πpriv

(A)=Pr 𝐴𝑬𝒏𝒄𝐾(.,.,.) ⇒ 1 − Pr 𝐴$ (.,.,.) ⇒ 1

𝑬𝒏𝒄𝑲(. , . , . ) $(. , . , . )

N, AD, M

AC C

4

The Security Goal(s)

𝐀𝐝𝐯Πpriv

(A)=Pr 𝐴𝑬𝒏𝒄𝐾(.,.,.) ⇒ 1 − Pr 𝐴$ (.,.,.) ⇒ 1

𝐀𝐝𝐯Πauth(A)=Pr 𝐴𝑬𝒏𝒄𝐾 .,.,. , 𝑫𝒆𝒄𝐾(.,.,.) forges

𝑬𝒏𝒄𝑲(. , . , . ) $(. , . , . )

N, AD, M

AC C

𝑬𝒏𝒄𝑲(. , . , . ) 𝑫𝒆𝒄𝑲(. , . , . )

N, AD, M

AC M or⊥

N, AD, C

A forges if: ∃ 𝑵, 𝑨𝑫, 𝑪 𝒔𝒖𝒄𝒉 𝒕𝒉𝒂𝒕 𝑫𝒆𝒄𝑲 𝑵,𝑨𝑫, 𝑪 ≠⊥ 𝐀𝐍𝐃 𝒏𝒐 𝒑𝒓𝒆𝒗𝒊𝒐𝒖𝒔 𝒒𝒖𝒆𝒓𝒚 𝑬𝒏𝒄𝑲 𝑵,𝑨𝑫,𝑴 𝒓𝒆𝒕𝒖𝒓𝒏𝒆𝒅 𝑪

4

5

. . . 𝑭𝑲

𝑴ℓ−𝟏

𝑭𝑲

𝑴𝟐

𝑭𝑲

𝑴𝟏

𝑭𝑲

𝑴ℓ

IV

Assumption: the keyed compression function F is a PRF MD Preserves PRF (Bellare and Ristenpart, ICALP 2007)

The MD Construction


6

. . . 𝑭𝑲

𝑴ℓ−𝟏

𝑴ℓ−𝟏 ⊕

𝑪ℓ−𝟏

𝑭𝑲

𝑴𝟐

𝑴𝟐 ⊕

𝑪𝟐

𝑭𝑲

𝑴𝟏

𝑴𝟏 ⊕

𝑪𝟏

𝑭𝑲

𝑴ℓ

𝑴ℓ ⊕

𝑪ℓ

Tage𝑭𝑲

𝝉

𝑴𝟑 ⊕

𝑪𝟑

𝟎

Tag𝝉

𝒏

Encrypting a message whose length is a multiple of the block length

OMD: Making a nonce-based AE Scheme based on the MD construction


6

. . . 𝑭𝑲

𝑴ℓ−𝟏

⊕

𝑴ℓ−𝟏 ⊕

𝑪ℓ−𝟏

𝑭𝑲

𝑴𝟐

⊕

𝑴𝟐 ⊕

𝑪𝟐

𝑭𝑲

𝑴𝟏

⊕

𝑴𝟏 ⊕

𝑪𝟏

𝑭𝑲

𝑴ℓ

⊕

𝑴ℓ ⊕

𝑪ℓ

Tage𝑭𝑲

𝝉

⊕

𝑴𝟑 ⊕

𝑪𝟑

𝟎

Tag𝝉

𝒏

Encrypting a message whose length is a multiple of the block length



∆𝓵,𝟏𝑲,𝑵∆𝓵,𝟎

𝑲,𝑵∆𝟑,𝟎𝑲,𝑵∆𝟐,𝟎

𝑲,𝑵∆𝟏,𝟎𝑲,𝑵

7

. . . 𝑭𝑲

𝑴ℓ−𝟏

⊕

𝑴ℓ−𝟏 ⊕

𝑪ℓ−𝟏

𝑭𝑲

𝑴𝟐

⊕

𝑴𝟐 ⊕

𝑪𝟐

𝑭𝑲

𝑴𝟏

⊕

𝑴𝟏 ⊕

𝑪𝟏

𝑭𝑲

𝑴∗||𝟏𝟎∗

⊕

𝑴∗ ⊕

𝑪ℓ

Tage𝑭𝑲

𝝉

⊕

𝑴𝟑 ⊕

𝑪𝟑

𝟎

Tag𝝉

𝒏

Encrypting a message whose length is not a multiple of the block length



∆𝟏,𝟎𝑲,𝑵 ∆𝟐,𝟎

𝑲,𝑵 ∆𝟑,𝟎𝑲,𝑵 ∆𝓵,𝟎

𝑲,𝑵∆𝓵,𝟐𝑲,𝑵

8

Handling Associated Data in OMD when the length of the data is a multiple of the input length.


Taga

⊕

. . .

⊕

𝑨𝟏

⊕

𝑨𝒂−𝟏

⊕

𝑨𝒂

⊕ 𝒏

∆ 𝟏,𝟎𝑲 ∆ 𝒂−𝟏,𝟎

𝑲 ∆ 𝒂,𝟎𝑲

9

Handling Associated Data in OMD when the length of the data is not a multiple of the input length.


Taga

⊕

. . .

⊕

𝑨𝟏

⊕

𝑨𝒂−𝟏

⊕⊕

𝑨∗||𝟏𝟎∗

𝒏

∆ 𝟏,𝟎𝑲 ∆ 𝒂−𝟏,𝟎

𝑲 ∆ 𝒂−𝟏,𝟏𝑲

10

OMD A Secure Nonce-based AE Algorithm that integrates a modified MD pass with XOR MAC


. . . 𝑭𝑲

𝑴ℓ−𝟏

⊕

𝑴ℓ−𝟏⊕

𝑪ℓ−𝟏

𝑭𝑲

𝑴𝟐

⊕

𝑴𝟐 ⊕

𝑪𝟐

𝑭𝑲

𝑴𝟏

⊕

𝑴𝟏⊕

𝑪𝟏

𝑭𝑲

𝑴ℓ

⊕

∆𝓵,𝟏𝑲,𝑵

𝑴ℓ⊕

𝑪ℓ

Tage𝑭𝑲

𝝉

⊕

𝑴𝟑⊕

𝑪𝟑

𝟎

Taga

⊕

. . .

⊕

𝑨𝟏

⊕

𝑨𝒂−𝟏

⊕

𝑨𝒂

⊕

Tag𝝉

⊕

Tage

Taga

𝒏

𝒏

∆𝓵,𝟎𝑲,𝑵∆𝟑,𝟎

𝑲,𝑵∆𝟐,𝟎𝑲,𝑵∆𝟏,𝟎

𝑲,𝑵

∆ 𝒂,𝟎𝑲 ∆ 𝒂−𝟏,𝟎

𝑲 ∆ 𝟏,𝟎𝑲

11

Computing the Masking Sequence: OMD version 1

𝚫𝟎, 𝟎𝑲,𝑵 = 𝑭𝑲(𝑵 ∥ 𝟏𝟎𝒏−𝟏− 𝑵 , 𝟎𝒎), 𝜟 𝟎, 𝟎

𝑲 = 𝟎𝒏

--------------------------------------------------------------------------------------

for 𝑖 ≥ 1: for 𝑖 ≥ 0:

𝚫𝒊, 𝟎𝑲,𝑵= 𝚫𝒊−𝟏, 𝟎

𝑲,𝑵 ⊕𝑳 ntz 𝒊 𝜟 𝒊, 𝟏𝑲 = 𝜟 𝒊, 𝟎

𝑲 ⊕𝑳∗𝚫𝒊, 𝟏𝑲,𝑵 = 𝚫𝒊, 𝟎

𝑲,𝑵 ⊕𝟐 ⋅ 𝑳∗𝚫𝒊, 𝟐𝑲,𝑵 = 𝚫𝒊, 𝟎

𝑲,𝑵 ⊕𝟐 ⋅ 𝑳∗

𝜟 𝒊, 𝟎𝑲 = 𝜟 𝒊−𝟏, 𝟎

𝑲 ⊕𝑳 ntz 𝒊

𝑳∗ = 𝑭𝑲 𝟎𝒏, 𝟎𝒎

𝑳 𝟎 = 𝟒 ⋅ 𝑳∗for 𝒊 ≥ 1 𝑳 𝒊 = 𝟐 ⋅ 𝑳 𝒊 − 𝟏


12

Computing the Masking Sequence: OMD version 2

𝚫𝟎, 𝟎𝑲,𝑵 = 𝑭𝑲(𝑵 ∥ 𝟏𝟎𝒏−𝟏− 𝑵 , 𝟎𝒎), 𝜟 𝟎, 𝟎

𝑲 = 𝟎𝒏

--------------------------------------------------------------------------------------

for 𝑖 ≥ 1: for 𝑖 ≥ 0:

𝚫𝒊, 𝟎𝑲,𝑵= 𝚫𝒊−𝟏, 𝟎

𝑲,𝑵 ⊕𝑳 ntz 𝒊 𝜟 𝒊, 𝟏𝑲 = 𝜟 𝒊, 𝟎

𝑲 ⊕𝑳∗𝚫𝒊, 𝟏𝑲,𝑵 = 𝚫𝒊, 𝟎

𝑲,𝑵 ⊕𝟐 ⋅ 𝑳∗𝚫𝒊, 𝟐𝑲,𝑵 = 𝚫𝒊, 𝟎

𝑲,𝑵 ⊕𝟐 ⋅ 𝑳∗

𝜟 𝒊, 𝟎𝑲 = 𝜟 𝒊−𝟏, 𝟎

𝑲 ⊕𝑳 ntz 𝒊

𝑳∗ = 𝑭𝑲 𝟎𝒏, < 𝝉 >𝒎

𝑳 𝟎 = 𝟒 ⋅ 𝑳∗for 𝒊 ≥ 1 𝑳 𝒊 = 𝟐 ⋅ 𝑳 𝒊 − 𝟏


13

𝜎𝑒: total number of calls to the compression function in encryption queries

𝝈: total number of calls to the compression function in all (encryption and verification) queries

𝑞𝑣: the number of decryption (verification) queries

ℓ𝑚𝑎𝑥: the maximum number of internal calls to the compression function in any query

𝒏: the output length of the compression function in bits

𝜏: the tag length

𝑡′ = 𝑡 + 𝑐𝑛𝜎

𝐀𝐝𝐯p−OMD 𝐹,𝜏priv

(𝑡, 𝜎𝑒 , ℓ𝑚𝑎𝑥)=𝐀𝐝𝐯𝐹p𝑟𝑓

(𝑡′, 2𝜎𝑒)+𝟑𝝈𝒆

𝟐

𝟐𝒏

𝐀𝐝𝐯p−OMD 𝐹,𝜏auth (𝑡, 𝑞𝑣 , 𝜎, ℓ𝑚𝑎𝑥)=𝐀𝐝𝐯𝐹

p𝑟𝑓(𝑡′, 2𝜎)+

𝟑𝝈𝟐

𝟐𝒏+

𝑞𝑣ℓ𝑚𝑎𝑥

2𝑛+𝑞𝑣

2𝜏

Security


14

𝑭𝑲𝑻

≊⊕ 𝑭𝑲

𝚫𝑲(𝑻)

We used the XE method to make a tweak able-PRF out of a PRF.

This is the cause of the birthday-type term (𝟑𝝈𝟐

𝟐𝒏) in the security

bounds

𝑻 = (𝑵, 𝒊, 𝒋)


14

𝑭𝑲𝑻

≊⊕ 𝑭𝑲

𝚫𝑲(𝑻)

We used the XE method to make a tweak able-PRF out of a PRF.

This is the cause of the birthday-type term (𝟑𝝈𝟐

𝟐𝒏) in the security

bounds

𝑻 = (𝑵, 𝒊, 𝒋)

Using a native tweakable-and-keyed compression function (i.e. one with dedicated tweak and key inputs) this term can be avoided.

Any such functions?• Allocating some part of the input for tweak may be an option but this limits the parameters’ sizes compared

to the original OMD

• The TWEAKEY Framework (Jean, Nikolić, and Peyrin, ASIACRYPT 2014) seems a promising way toward designing an efficient TWEAKEY Compression Function.


Conclusion

OMD v2 is a new version of OMD with a minor tweak

OMD v2 has the same performance as OMD v1

OMD v2 has the same security bounds as OMD v1

OMD v2 is NOT susceptible to the tag-length variation misusing attacks, posted on the CAESAR mailing list on 25 April 2014 by the Ascon team.


Thanks!

Questions?


Documents

OMD version 2 - Nanyang Technological Universitydiac2015/slides/diac2015_15_omd.pdf · OMD version 2.0 Reza Reyhanitabar Design Team: Simon Cogliani, Diana Maimut, David Naccache