Crafting Definitions - WordPress.com · Crafting Definitions. Phillip Rogaway. University of...

1

Crafting Definitions

Phillip RogawayUniversity of California, Davis, USA

spotniq(Symmetric Proof Techniques)

30 July 2018Bertinoro, Italy

introductionadept secret-sharing – indistinguishability

up to correctness – online AE –conclusions

2

Our theme is symmetric proof techniques.Why am I talking about definitions ?

Proofs are at most as worthwhileas the definitions on which they rest.

Proofs are the logicalstarting point forprovable security

Definition D

Protocol P

Proof

Realization

Protocol p

Definition d

[Goldwasser, Micali 82]

0. Intro

0. Intro

3

Definitions also:

1. Shape what we work on and see.2. Enable clear communication and thinking.3. Help in breaking schemes.4. Give rise to schemes with improved efficiency.5. Grounds cryptographic work that falls outside

the provable-security framework.

0. Intro

4

• little critique of definitions• cavalier treatment of them in papers & talks• no agreement on details• little recognition about the extent to which defns are

socially constructed & purpose-serving• Startlingly basic things lack good definitions — and this

seems to go unnoticed.

The significance of definitions in cryptography is under-emphasized

0. Intro

The starting point to correct this problem is the decision to take definitions seriously.

5

1. Secret sharing (Adept Secret Sharing, ADSS)[Bellare, Dai, Rogaway: 2018]

2. Indistinguishability (up to correctness: IND|C) incl: PKE – Stateful AE – Onion-AE[Rogaway, Zhang: CRYPTO 2018], [Rogaway, Zhang: PETS 2018]

3. Online AE[Hoang, Reyhanitabar, Rogaway, Vizár: CRYPTO 2015]

Today and tomorrowDefinitional examples

Relatively recentAll related to sym encryption Bad examples if you’ve never

seen a cryptographic definitionTo some crypto folks, these topics would seem extremely banal.

0. Intro

6

1. Secret sharing (Adept Secret Sharing, ADSS)[Bellare, Dai, Rogaway: 2018]

2. Indistinguishability (IND|C) (incl. Stateful AE, Onion-AE)[Rogaway, Zhang: PETS 2018], [Rogaway, Zhang: CRYPTO 2018]

3. Garbled circuits (Garbling schemes)[Bellare, Hoang, Rogaway: CCS 2012][Bellare, Hoang, Rogaway: Asiacrypt 2012: Dynamic adversaries][Bellare, Hoang, Keelveedhi, Rogaway: S&P 2013: Efficiency]

4. Online AE [Hoang, Reyhanitabar, Rogaway, Vizár: CRYPTO 2015]

5. Robust AE [Hoang, Krovetz, Rogaway: EUROCRYPT 2015]

7

https://www.forbiddenstories.org/

1. ADSS

8

https://freedom.press/

1. ADSS

9

Example use cases

1. Recovery of passphrase or encryption key after journalist’s death.2. Recovery of primary materials after journalist’s death.3. Dead man’s switch 4. Archive sensitive data you don’t think will be needed anymore5. Generate a PK/SK pair, share the SK, keep encrypting material in

public key. Can keep adding documents to archive, but none can be read until reconstruction ceremony.

6. Escrow of passwords to friends…

10

Classical secret-sharing [Blakely 79], [Shamir 79]

Correctness: if S ↞ share (M ) and A ∈ A thenM = recover (SA). SA[i] = S[i] if i ∈ A, and } o.w.

Privacy: (for all B ∉ A )(for all M, M’ ∈ Message)(share (M ))B = (share (M’))B

• A – the access structureA set of subsets of [1..n] for some n=n(A) monotone

• share: Message ↠ Sharesn

• recover: (Shares ∪ {}})n → Message

1. ADSS

11

What’s wrong with this for a user-facing tool?

1. Recovery takes a vector, with entries marked as missing.2. Fixed access structure. share() and recover() are specific to

it … or we are really talking about a family of algorithms, with out-of-band information to select one.

3. No authenticity; recover() always succeeds. Adversary may be able to force recovery of whatever it wants.

4. Sharing isn’t reproducible: no way to regenerate a shareholder’s share of some secret.

5. Nothing like “associated data” associated to a sharing.6. All of a share must be kept secret; it’s atomic.

• share: Message ↠ Sharesn

• recover: (Shares ∪ {}})n → Message

1. ADSS

12

Secret sharing is like encryptionLearn from AE and deterministic PKE

Sender Receiver

M Encrypt Channel Decrypt M

Dealer Reconstructor

M Share Channel Recover M

N

R

AD

T

AD

AA

T

or ⊥

or ⊥

1. ADSS

13

Enlarging the syntax

• Acc: Access → AS

• Share: Access × Message × Rand × Tag → Shares*

• Recover: P (Shares*) → Access × Message ∪ {⊥}

• share: Message ↠ Sharesn

• recover: (Shares ∪ {}})n → Message

Each S ∊ Shares has three components: S.sec, S.pub, S.tag

If S ← Share(A, M, R, T) then Recover (S[U]) =(A, M) if U ∈ Acc(A)

⊥ if U ∉ Acc(A)

If S ← Share(A, M, R, T) then S[i].tag = T

Adept secret sharing (ADSS)

Classical secret sharing

Correctness

1. ADSS

14

• Acc: Access → AS

• Share: Access × Message × Rand × Tag → Shares*

• Recover: P (Shares*) → Access × Message ∪ {⊥}

Wainwright Buildingby architect

Louis Sullivan

Whether it be the sweeping eagle in his flight, or … the branching oak [or] the drifting clouds … form ever follows

function, and this is the law. Where function does not change, form does not change. … It is the pervading law of all things

organic and inorganic, of all things physical and metaphysical …Louis Sullivan, 1896

Form—syntax—is undervalued in crypto.It shapes what is expressible, useful, seen.It has an aesthetic.

We attend too little to syntax/form

1. ADSS

15

• Acc: Access → AS

• Share: Access × Message × Rand × Tag → Shares*

• Recover: P (Shares*) → Access × Message ∪ {⊥}

Priv: Unauthorized sets of shares reveal nothing about the shared secret.This assumes there’s enough entropy in the provided message and the coins. Formalized like deterministic PKE [Bellare, Boldyreva, O’Neill. 2007]

Auth: A share held by an honest user can be used to recover at most one secret, no matter what others do.

Priv$: Unauthorized sets of shares reveal nothing about the shared secret. This assumes that coins are uniformly random.

Security notions

1. ADSS

16

Authenticity possibilities

• Acc: Access → AS

• Share: Access × Message × Rand × Tag → Shares*

• Recover: P (Shares*) → Access × Message ∪ {⊥}

Auth: A share held by an honest user can be used to recover at most one secret, no matter what others do.

Auth0: A share issued by an honest dealer and held by an honest user can be used to recover at most one secret, no matter what others do.

ErrDet: When Recover(S) returns (A, M), it is at least possible that sharing out (A,M) could give rise to a vector from which S is an authorized subset.

… How to decide? - Formalize- Debate philosophy- Talk to users

1. ADSS

- Explore relations- Explore constructions- Favor simplicity- Do choose

17

• Acc: Access → AS

• Share: Access × Message × Rand × Tag → Shares*

• Recover: P (Shares*) → Access × Message ∪ {⊥}

A share held by an honest user can be used to recover at most one secret, no matter what others do.

Formalizing authenticity

1. ADSS

Auth

18

Auth

Auth0⇒

1. ADSS

A share issued by an honest dealer and held by an honest user can be used to recover at most one secret, no matter what others do.

A share held by an honest user can be used to recover at most one secret, no matter what others do.

19

M R TA

C

H

J L K

S.Share

message

randC

C

C

J

J

J

T

T

T

S1.pub

S2.pub

S3.pub

secret

∙ ∙

∙

S

S

public tag

S1.sec

S2.sec

S3.sec

access

j

D

E

∙|M |

D

D

D

Turns a “basic” scheme that achieves only Priv$ to an adept scheme that achieves Priv + Auth.

The AD construction

1. ADSS

20

Handling errorsError correction

Not the same as RCSS (robust computational secret sharing)

1. ADSS

Recovery(S) should return (A, M) if this is the only plausible explanation for S consistent with recovering a value.

If there’s a unique maximal subset of qualified shares Smax ⊆ S that could have been shared out by an honest dealer.

SSM2 of 3

21

1. Secret sharing (Adept Secret Sharing, ADSS)[Bellare, Dai, Rogaway: 2018]

2. Indistinguishability (up to correctness: IND|C) incl: PKE – Stateful AE – Onion-AE[Rogaway, Zhang: CRYPTO 2018], [Rogaway, Zhang: PETS 2018]

3. Online AE[Hoang, Reyhanitabar, Rogaway, Vizár: CRYPTO 2015]

4. Garbled circuits (Garbling schemes)[Bellare, Hoang, Rogaway: CCS 2012][Bellare, Hoang, Rogaway: Asiacrypt 2012: Dynamic adversaries][Bellare, Hoang, Keelveedhi, Rogaway: S&P 2013: Efficiency]

22

“Real” game

G“Ideal” game

H

1 or 0

Π Π

A

xi xi

yi yi

Adv (A) = Pr[G → 1] – Pr[H → 1]ind

G HA A

Adv (A) = xxx

ΠΠ Π

Π

Π

- Definition: G ≈ H

- Paradigm: xxx-security of Π

2. IND|C

More than a defnThe IND Paradigm

23

z

k

xiyi

Initialize

Finalize

Oracle Guj

vj ¦

r

!

G ¦

½

A

The game-playing model

2. IND|C

Adv (A) = Pr[G → 1] – Pr[H → 1]ind

G HA A

Adv (A) = xxx

ΠΠ Π

Π

Π

24

Dec (c)m ← D (sk, c)return m

Finalize (b)return b

Enc (m)c ↞E (pk, m)return c

c ↞E (pk, 0|m| )

Key ( )return pk

Defining IND-CCA securityfor a PKE scheme Π=(K,E,D)

if c ∈ L then return ⟡

L ← L || c

G1

H1

Initialize (k)(pk, sk) ↞K (k)return

“Oracle silencing”

We can’t leave it at this.

Must exclude trivial wins?

cf: “Exclusion-style defn” [BHK09]

25

Defining IND-CCA securityfor a PKE scheme Π=(K,E,D)

L ← L || (-, c)

L ← L || (+, c)

if L contains a (+, c) and a(-, c) then return 0subsequent

Dec (c)m ← D (sk, c)return m

Finalize (b)return b

Enc (m)c ↞E (pk, m)return c

Key ( )return pk

G1 Initialize (k)(pk, sk) ↞K (k)return

H1“Penalty-style defn” [BHK09]

c ↞E (pk, 0|m| )

26

1. People screw up, or are overly vague, when giving even the most trivial IND definitions. [BHK 09/15: Subtleties in the Definition of IND-CCA:When and How Should Challenge-Decryption be Disallowed?]

2. IND definitions can get so complicated that they arevery difficult to debug / get right.

Problems with the IND paradigm

IND-CCFA from [Fischlin-Günther-Marson-Paterson-

17: Data is a Stream];

correcting [FGMP15] and

[BDPS12] definitions

before.

2. IND|C

27

1. People screw up, or are overly vague, when giving even the most trivial IND definitions. [Bellare, Hofheniz, Kiltz 2009/2015: Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?]

2. IND definitions can getso complicated that they arevery difficult to debug / get right.

3. There’s no argument one can make to evidence that an IND-style definition captures what you want.

4. There’s no theory on how to use IND to create definitions.

Problems with the IND paradigm

2. IND|C

28

Dec (c)m ← D (sk, c)return m

Finalize (b)return b

Enc (m)c ↞E (pk, m)return c

c ↞E (pk, 0|m| )

Initialize (k)(pk, sk) ↞K (k);return pk

Defining IND-CCA securityfor a PKE scheme Π=(K,E,D)

C1 := {Π = (K,E,D): (∀ k)(∀m)[(pk, sk) ↞ K(k);

c↞ E(pk, m):D(sk, c)=m]}

G1

H1

AdvΠ := AdvG1,H1,C1

pke.new indc

≈ AdvΠpke.old

2. IND|C

pke.old refers to the SE/SP defns of [BHK], or what we defined earlier, not the BE or BP defns.

29

Dec (c)m ← D (sk, c)return m

Finalize (b)return b

Enc (m)c ↞E (pk, m)return c

Initialize (k)(pk, sk) ↞K (k);return pk

Defining IND-CCA securityfor a PKE scheme Π=(K,E,D)

G1

H1

AdvΠ := AdvG1,H1,C1

pke.new indc

≈ AdvΠpke.old

2. IND|C

Why approx. equal?We don’t silence impossible transcripts. Dec(c) returns m; then Enc(m’) returns c, where m ≠ m’.

c ↞E (pk, 0|m| )

C1 := {Π = (K,E,D): (∀ k)(∀m)[(pk, sk) ↞ K(k);

c↞ E(pk, m):D(sk, c)=m]}

30

G H

RealIND|C

Ideal

C

The Class ofcorrect protocols

utopiangames

indcAdvG H C

G H

Oracle Editing

~(A) ind

AdvG H~ (A) =

Advxxx

(A) =Π

ΠΠ Π Π

edited games

2. IND|C

31

k

xiyi

Initialize

Finalize

Oracle Guj

vj ¦

r

Ã

}yi

G¦G¦

z!

~

~

Silencing function 𝜓𝜓 = SilenceC,G (t) Operates on a query-terminatedtranscript t = (x1, y1,x2, y1, … xi )

IND|C Oracle Silencing

A

2. IND|C

32

When to silence?

Silence an oracle response iff, for the real game, given the transcript t so far, the answer is fixed for every Π ∈C.

If you assume you’re playing G and Π ∈ Cthen exactly one response yi is possible.

Valid C,G (x1 , y1 , … , xj , yj) = (Ǝ Π ∊ C)(k ∊ {0,1}*)(r ∊ {0,1}∞)(∀ i ∊[1..j])[GΠ (k, x1 , … , xi , r) = yi ]

Fixed C,G (x1 , y1 , … , xj , yj , x) = (Ǝ! y) Valid C,G (x1 , y1 , … , xj , yj , x , y)

𝜓𝜓 = Silence C,G (x1 , y1 , … , xj) = Fixed C,G (x1 , y1 , … , xi) _1 ≤ i ≤ j

k

xiyi

Initialize

Finalize

Oracle Guj

vj ¦

r

Ã

}yi

G¦G¦

z!

~

~A

33

An important caveat

For a meaningful notion, the silencingfunction must be efficiently computable.

… at least on the domain that matters: transcripts that can arise in GΠ or HΠ(for Π ∈ C) interactions with an adversary.

2. IND|C

34

Crafting Definitions(part 2)

Phillip RogawayUniversity of California, Davis, USA

spotniq(Symmetric Proof Techniques)

31 July 2018Bertinoro, Italy

introductionadept secret-sharing – indistinguishability

up to correctness – online AEconclusions

35

𝜓𝜓𝜓𝜓

UtopianReal

game

G

UtopianIdealgame

H

1 or 0

Π Π

ASilencing Silencing

xi xiyi yi

yi~~yi

IND|C

2. IND|C

𝜓𝜓(t) = 1 iff for the real game, the answer is fixed across all Π ∈C and all coins used by G

~yi =yi if 𝜓𝜓(t) = 0

⟡ if 𝜓𝜓(t) = 1

Not symmetric. Adv G,H,C ≠indc

Adv H,G,C indc

36

The IND|C paradigm:

1. Formalize syntax for schemes Π andformalize the correctness condition C

2. Design utopian games G, H (don’t exclude “trivial” wins).Along with C, this determines the IND|C security notion.

3. Verify that the silencing function SilenceC,Gis efficiently computable on (C,G,H)

2. IND|C

37

Provisos1. Definitions coming out of IND|C are abstract.

Seems they must be re-characterized to work with them.This may be hard.May be hard to show 𝜓𝜓 efficient computability.

2. A speculative proposal.We have only applied it to PKE, stateful AE, onion routing.So its generality is unclear.

2. IND|C

1. IND|C might turn out to be a very general tool. 2. The definitions can be compact and rigorous, described by code.3. Might cover some of what UC does, the ideal utopian game

functioning like the ideal functionality.

Yet

38

Yevgeniy’s concern

Q: For most PKE schemes, the transcript determine the SK. So Dec() responses will be fixed and therefore silenced. The notion will be degenerate. Yes?

A: No. You silence when responses are fixed with respect to every scheme Π ∈ C. For most t exists a (correct, highly artificial) PKE scheme Πt whose existence ensures that Dec() queries are not over-silenced.

39

INC|C Variants

1. Always silence impossible transcripts (instead of never silencing them)

2. Silence-then-forgive: instead of silence-then-shut-down

3. Ideal-side editing: Don’t silence the real game; but editideal-game responses to copy what the real side would do whenever the response would be fixed if this were the real side.

4. Penalty-style editing. Don’t silence; adjust Finalize so that the game outputs 0 if silencing would have happened.

5. Symmetric silencing: For left-or-right games. Silence a query response if it is (a) fixed for a left-hand oracle, (b) fixed for a right-hand oracle, and (c) these fixed values are distinct.

2. IND|C

All o

f the

se a

s exp

ress

ive

as in

itial

ver

sion

(with

effi

cien

t com

puta

bilit

y sid

e co

nditi

ons)

40

EM D

K

CS R or ⟂M’A A

Example AStateful AE

Bellare, Kohno, Namprempre (2002/2004)Kohno, Palacio, and Black (2003)Boyd, Hale, Mjølsnes, and Stebila (2016)

E: K × A ×M ×S → ( C ∪ {⊥} ) × SD: K × A × C × S → (M ∪ {⊥} ) × S

How picky should the receiver be? How to define correctness?

2. IND|C

41

Parameterizing correctnessEncrypting party sends messages 1, 2, 3, …A level set L ⊆ ℕ* defines the set of permissible orderings for the receiver to have received at some point in time.n ∈ L means getting messages n, in order, is acceptable.

2. IND|C

42

The correctness class for a level set

2. IND|C

43

Defining sAE

2. IND|C

44

Ekn

n c

ma

inc

¿

Achieving sAE

2. IND|C

45

n c

Dk

a

a

in L ?

m or .

m or

a

a

no yes

||nn

Achieving sAE

46

Privacy – Indistinguishability from random bits. Stateful, so repeated encryption of a message should continue to produce fresh ind$ bits.

Authenticity – Time-of-exit unforgeability. Stateful, so once an OR has detected a problem, error output should persist.

A form of stateful AE, but more complex.

Example B

Onion AE

2. IND|C

47

Example B

Onion AE[Goldschlag, Reed, Syverson 1996a, 1996b][Syverson, Goldschlag, Reed 1997][Dingledine, Mathewson, Syverson 2004]

The symmetric, low-latencycounterpart of mixnets

[Chaum 1981]

2. IND|C

DOR1

A BK1K0

DOR2

K2

DOR3

K3

C3 = M

C3C2C1C0

M = B ||M’C1 = EK2 (EK3 (M))

C2 = EK3 (M)

C0 = EK1 (EK2 (EK3 (M)))

K1 K2 K3

48

Seeing the problem as a type ofAuthenticated Encryption (AE)

Symmetric encryption that aims to achieve both privacy and authenticity

DOR1

AK1K0

DOR2

K2

DOR3

K3C2C1C0

K1 K2 K3

M or⟂

“Onion-AE”

2. IND|C

49

Formalizingsecurityof conventional AE

1 or 0

A

EK

DK

$

⟂

(N, M)

C

(N, C)

M

(N, M)

$

(N, C)

⟂

You must adjust thisto banish trivial wins:- Repeated Enc(N,M) queries- Dec(N,C) after Enc(N, ·) → C

2. IND|C

50

Onion-AE syntax

K0

EM

K1

D

KK2

DC1

K3

DC2C0S0 S1 S2 S3 M or ⟂’

A 3-tuple Π = (K, E, D) where

K: ℕ → 𝒦𝒦* maps n to n+1 strings

D : 𝒦𝒦 × C × S → (M ∪ C∪ {⟂}) × SE : 𝒦𝒦 ×M × U → C × U

2. IND|C

51

(∀ n) (K0, K1, …, Kn) ↞ K(n); (K0, K1, …, Kn) ↞ K(n)(∀ t) (M1, …, Mt) ↞M; S0 , S1, …, St ← εfor i ← 1 to t do

(C0, S0) ← E (Ki , Mi , S0)

for j ← 1 to n do (Cj , Sj) ← 𝒟𝒟 (Kj , Cj−1 , Sj )assert Cn = Mi

Correctness

2. IND|C

52

Formalizing security

1 or 0

A

EK

DK

$

$⟂

M

C

(i, C)

C ’

M$

(i, C)

$ if i<n⟂ if i=n

Oracle silencing:behave like the utopian game shown unless the response you are about to give is fixed in every correct protocol.In that case, answer ⟡ .

Idea explored in CRYPTO 2018 paper.

2. IND|C

53

𝜓𝜓𝜓𝜓

UtopianReal

game

G

UtopianIdealgame

H

1 or 0

Π Π

ASilencing Silencing

xi xiyi yi

yi~~yi

Silence an oracle response if, for the real game, given the transcript t so far, the answer is fully determined by Π ∈C.

IND|C Indistinguishability up to correctness

Adv (A)ind

G, H

c

, C

2. IND|C

54

Utopian games foronion encryption

Real Ideal

2. IND|C

55

Recharacterization

56

Without oracle silencing Concurrent work [Degabriele, Stam 2018]Untagging Tor: A Formal Treatment ofOnion Encryption

2. IND|C

57

Without oracle silencing Concurrent work [Degabriele, Stam 2018]Untagging Tor: A Formal Treatment ofOnion Encryption

2. IND|C

58

LBE is onion-AE secure≈ Mathewson’s Proposal 202 (Design 1, Large Block Encryption), 2012.Proposal 261 is 202 with AEZ

Theorem [informal]: From an adversary A that attacks LBE[E] we construct an adversary B that breaks E as a PRP with comparable resources and advantage.

C0 = 𝔼𝔼 K1 (𝔼𝔼 K2 (𝔼𝔼 K3 (M || 0)))

𝔼𝔼 a wideblock TBC, egAEZ, EME2, Farfalle, HHFHFH

c1-hist c2-hist c3-hist

2. IND|C

59

1. Secret sharing (Adept Secret Sharing, ADSS)[Bellare, Dai, Rogaway: 2018]

2. Indistinguishability (up to correctness: IND|C) incl: PKE – Stateful AE – Onion-AE[Rogaway, Zhang: CRYPTO 2018], [Rogaway, Zhang: PETS 2018]

3. Online AE[Hoang, Reyhanitabar, Rogaway, Vizár: CRYPTO 2015]

4. Garbled circuits (Garbling schemes)[Bellare, Hoang, Rogaway: CCS 2012][Bellare, Hoang, Rogaway: Asiacrypt 2012: Dynamic adversaries][Bellare, Hoang, Keelveedhi, Rogaway: S&P 2013: Efficiency]

60

Warning: multiple uses of “online”

1. An efficiency characteristic

2. An (informal) operational characteristic of a scheme

3. A modifier in the name of a security definition to indicate some understood, alternative security definition

Can compute in one pass with O(1) memory. Eg: Decryption in OCB is online.

It is safe to release the prefixes of the output as it’s computed.Eg: Decryption in OCB is not online.

Eg: COPA achieves online AE.

Don’t assume implications!

1

23

3. Online-AE

61

AC

Adv (A) = Pr[A K K 1] − Pr[A$ ⊥ 1]

N, A, M

- Repeat an N in an Enc query- Ask a Dec query (N, A, C) after C is returned

by an (N, A, ⋅) Enc query

N, A, C

M ⊥

K (⋅,⋅,⋅)

K (⋅,⋅,⋅)

$ (⋅,⋅,⋅ )

⊥ (⋅,⋅,⋅ )

C

naeΠ

All-in-one definition [R, Shrimpton 2006]. Builds on a sequenceof work beginning with [Bellare-Rogaway 2000, Katz-Yung 2000 ]

E

D

E D

A may not

nAE (nonce-based AE)Syntax: An nAE scheme is a function E: K × N × A × M → C with eachE(K, N, A, ⋅) an injection, x ∈ M⇒ {0,1}|x| ⊆ M , and |E (K, N, A, M)|=|M|+τ

3. Online-AE

62

AC

Adv (A) = Pr[A K K 1] − Pr[A$ ⊥ 1]

N, A, M

N, A, C

M ⊥

K (⋅,⋅,⋅)

K (⋅,⋅,⋅)

$ (⋅,⋅,⋅ )

⊥ (⋅,⋅,⋅ )

C

naeΠ

All-in-one definition [R, Shrimpton 2006]. Builds on a sequenceof work beginning with [Bellare-Rogaway 2000, Katz-Yung 2000 ]

E

D

E D

nAE (nonce-based AE)Syntax: An nAE scheme is a function E: K × N × A × M → C with eachE(K, N, A, ⋅) an injection, x ∈ M⇒ {0,1}|x| ⊆ M , and |E (K, N, A, M)|=|M|+τ

3. Online-AE

1. Atomicity of M2. Atomicity of C3. OK to demand non-repeating N

63

MRAE: Misuse-Resistant AE [R, Shrimpton 2006]

(N, A, M)

AC

N, A, M

- Repeat an N in an Enc query- Ask a Dec query (N, A, C) after C is returned

by an (N, A, ⋅) Enc query

M ⊥

K (⋅,⋅,⋅)

K (⋅,⋅,⋅)

$ (⋅,⋅,⋅ )

⊥ (⋅,⋅,⋅ )

CE

D

A may not

Syntax: An nAE scheme is a function E: K × N × A × M → C withE(K, N, A, ⋅) an injection, x ∈ M⇒ {0,1}|x| ⊆ M , and |E(K,A,M)|=|M|+τ

Adv (A) = Pr[A K K 1] − Pr[A$ ⊥ 1]mraeΠ

E D

3. Online-AE

64

• If N is a nonce, definition coincides with nAE

• If N repeats, - authenticity is undamaged- privacy damaged to the extent that’s unavoidable:

repetitions of (N, A, M ) revealed

Paper on MRAE did not say it was OK to repeat nonces.Wanted to do the best possible if nonces do repeat.

CAESAR submissions: AES-CMCC, AEZ, DEOXYS-II, HS1-SIV

[R, Shrimpton 2006] MRAE: Misuse-Resistant AE

65

Aim is impossible for online schemes.The first bit of ciphertext must depend on the last bit of plaintext.

The “problem” with MRAE

AC

N, A, M

N, A, C

M ⊥

K (⋅,⋅,⋅)

K (⋅,⋅,⋅)

$ (⋅,⋅,⋅ )

⊥ (⋅,⋅,⋅ )

CE

D

66

A proposed solution: online-AE

[Fleischmann, Forler, Lucks 2012] McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes. FSE 2012. (Full version, with Wenzel, as ePrint report 2011/644 (Dec 2013)

Promised an AE notion & scheme that was• online single pass encryption with O(1) memory and• misuse resistant retain security in the presence of nonce-reuse

COPA

Deoxys

Joltik

KIASU

SHELLMarble

POET

Prøst-COPA

APE

ElmD

Prøst-APE

++AE

COBRA

Minalpher

Artemia

CBEAM

ICEPOLE

iFeed

Jambu

Keyak

MORUS

NORX

STRIBOB

Your name here!

FFL-security claimed by authors

This claimed by others

Something like FFL-security claimed by authors

This claimed by others

3. Online-AE

67

Claim

The FFL definition makesno real sense

3. Online-AE

68

Online ciphers

Good online cipher: A multiple-of-n cipher E where

E(K, ⋅) is indistinguisable from π ↞OPerm[n]

Fix some n. Let Bn = {0,1}n = all possible blocks.Let Bn = all strings of blocks.

A multiple-of-n cipher is a map E: K × Bn → Bnwhere E(K, ⋅) is a length-preserving permutation for each K∈K.

** *

OPerm[n] = all multiple-of-n ciphers π where the i-th block of π(X) dependsonly on the first i blocks of X.

M1 M2 M3 M4 M5

C1 C2 C3 C4 C5

EK

[Bellare, Boldyreva, Knudsen, Namprempre 2001]

3. Online-AE

69

FFL’s definition: OAE1

M1 M2 M3 M4 M5

C1 C2 C3 C4 C5

E KH

Tτ

This part ≈ an online cipher for each H

This part is like a bunch of random bits

Privacy(corrected)

+AuthenticityUnforgeability

|M| must be a multiple of n

EncodesN and A

3. Online-AE

70/38

FFL definition: OAE1

AAdvoae1 (A) = Pr[ALeft 1] – Pr[ARight 1]Π

Def: a multiple-of-n AE scheme Π is OAE1-secure if

is “small” for “reasonable” adversaries A.Not allowed to ask Dec(H, C) after Enc(H, M) returns C.

71/38

OAE1 is weak: the “trivial attack”

• LCP[n]: Ci only depends on K, H, M1 · · · Mm

Eg: n=1

In general, m (2n −1) queries to recover M

• Security grows with the blocksize n• Crucial to identify n when speaking of security

C

0 Enc

m1 0 Enc

m1 0 Encm2

• Want to decrypt

• You have an oracle that will encrypt with K, H

= E (K, H, M)

m=|C| encryption queries to recover M

… n

72/38

OAE1 is weak: the CPSS attack

chosen-prefix/secret-suffix

Assume LCP[n]. Eg, n=128

SP

E K

C

Like the “BEAST” attackof [Duong, Rizzo 2011]

0120

(any byte string) (want to learn it)

B

S

0120 S

0112 SS1

0112 SS1 B

73

1. Blocksize n shouldn’t be a user-selectablevalue, not a scheme-dependent constant.It arises from a resource constraint or a real-time constraint of a user. It shouldn’t be related to an implementing technology.

Problems with OAE1

2. Decryption too should be online. How useful is it to have online-encryption ifthe receiver has to buffer the entire ciphertext?

4. The reference object is not ideal. Why an online cipher followed by random bits? We could do better with a different reference object.

3. Security needs to be defined for strings of all lengths, not just multiples of n. Saying one will pad begs the question.

M1 M2 M3 M4 M5

C1 C2 C3 C4 C5

E KH

T

1. Admits unexpected attacks.Chosen-prefix / secret suffix attack. Like BEAST. Given an oracle for E(L || ⋅ || S) for an arbitrary L and known S, you can quickly compute S.

0.

3. Online-AE

74

Towards OAE2User-selectable segmentation

M1 M2 M3 M4

M

C1 C2 C3 C4

C

τ τ τ τ

E.init

K N

E.next E.next E.next E.last

[Tsang, Solomakhin, Smith 2009][Bertoni, Daemen, Peeters,Van Assche 2010/2012]

3. Online-AE

75

Towards OAE2User-selectable segmentation

M1 M2 M3 M4

M

C1 C2 C3 C4

τ τ τ τ

E.init

K N

E.next E.next E.next E.last

D.next D.next D.next D.lastD.init

K N

M1 M2 M3 M4

3. Online-AE

76

Towards OAE2User-selectable segmentation

M1 M2 M3 M4

M

C1 C2 C3 C4

E.init

K N

E.next E.next E.next E.last

D.next D.next D.next D.lastD.init

K N

M1 M2 ⊥

~

⊥

3. Online-AE

77

Towards OAE2Syntax

Def: A segmented-AE scheme is a tuple Π=(K,E,D) where K is a distribution on strings and E = (E.init, E.next, E.last) and D=(D.init, D.next, D.last)

are triples of deterministic algorithms:

E.init: K × N→ SE.next: S × A × M → C × SE.last: S × A × M → C

D.init: K × N→ SD.next: S × A × C → (M × S ) ∪ {⊥}D.last: S × A × C →M∪ {⊥}

N ⊆ {0,1}∗A = M = C = {0,1}∗

3. Online-AE

78

Defining OAE2Real behavior

M1 M2 M3 M4

C1 C2 C3 C4

τ τ τ τ

E.init

K N

E.next E.next E.next E.last

3. Online-AE

79

Defining OAE2Ideal behavior

M1 M2 M3 M4

C1 C2 C3 C4

τ τ τ τ

N

fN (⋅) fN, M1(⋅) fN, M1, M2 (⋅) fN, M1, M2 , M3 (⋅)’

3. Online-AE

80

Achieving OAE2The CHAIN construction

3. Online-AE

Why can’t one use an nAE scheme? OAE2 degenerates to MRAE when there’s one segment and large τ; and a strong PRP with one segment and τ=0

81

Wrapping up online-AE1. OAE should never have been about nonce-reuse MR. Historical

artifact.

2. [Tsang, Solomakhin, Smith 2009] and [Bertoni, Daemen, Peeters,Van Assche 2010/2012] seem more on-track in capturing useful notions of OAE.

3. How does a deeply (and rather obviously) flawed definition become the definitional target for so much constructive work?

82

Conclusions

1. Separate syntax from security, and attend closely to it.2. Things in need of defining may be right in front of you.3. Definitions can be wrong; wrong definitions can be popular.4. Definitions are constructed, not discovered.

They are done for the benefit of some community.5. Definitions are fictions, attending to some concerns and

ignoring others.6. Unique style of modeling in creating a cryptographic

definition. Philosophical, but within boundaries. Done with a socio-technical view of what a community needs. The process is dialectical.

7. A good task for graduate students / early-career researchers, or a terrible one? I’m not so sure.