Showing papers by "Eik List published in 2022"

Implicit Key-Stretching Security of Encryption Schemes

Abstract: When keys are small or parts thereof leak, key-recovery attacks on symmetric-key primitives still pose a plausible threat. Key stretching is one well-known means to throttle potential adversaries, where stretching a key by s bit means that a key-recovery attack has to perform $$\min \{2^{k-1}, 2^{k-\lambda +s-1}\}$$ operations on average for $$\lambda $$ bit information leakage. However, typical explicit key stretching requires also the defender to pay for the stretch operations. The usual assumption is that a surrounding encryption scheme does not increase the key-recovery security of its internal primitives. This work challenges this assumption by considering the structure of popular encryption schemes. In particular, message lengths may be non-negligible in settings such as full-disk encryption or archiving, where the adversary can obtain only long messages. Surprisingly, the question of whether a surrounding encryption scheme has only a negligible impact on key recovery seems to have remained uninvestigated. Therefore, it is interesting to study if “implicit” key stretching may come for free as an inherent property of popular schemes. We define an encryption scheme as “fully key-stretching-secure” if an adversary that sees plaintext-ciphertext pairs of at least m blocks each must perform at least m primitive calls for testing a key candidate. Using a similar definition of affine modes as Chakraborti et al. in JMC 2018, we systematically explore common encryption schemes with respect to their key-stretching security. In total, we consider five classes of (1) online, (2) SIV-like, (3) parallelizable two-pass (EME-like), (4) sequential two-pass (CMC-like), and (5) three-pass (HCTR-like) encryption schemes. By modeling them as affine modes, we can identify all considered encryption schemes key-stretching-insecure, i.e., one needs only O(1) primitive calls for testing a key candidate. However, for the insecure schemes from types (4) and (5), namely for EME-, CMC-, and HCTR-like schemes, we propose minor tweaks to ensure full key-stretching security.

Forking Sums of Permutations for Optimally Secure and Highly Efficient PRFs

Abstract: The desirable encryption scheme possesses high PRF security, high efficiency, and the ability to produce variable-length outputs. Since designing dedicated secure PRFs is difficult, a series of works was devoted to building optimally secure PRFs from the sum of independent permutations (SoP), Encrypted Davies-Meyer (EDM), its Dual (EDMD), and the Summation-Truncation Hybrid (STH) for variable output lengths, which can be easily instantiated from existing permutations. For increased efficiency, reducing the number of operations in established primitives has been gaining traction: Mennink and Neves pruned EDMD to FastPRF, and Andreeva et al. introduced ForkCiphers, which take an n-bit input, process it through a reduced-round permutation, fork it into two states, and feed each of them into another reduced-round permutation to produce a 2n-bit output. The constructions above can be used in secure variable-length modes or generalizations such as MultiForkCiphers. In this paper, we suggest a framework of those constructions in terms of the three desiderata: we span the spectrum of (1) output length vs. PRF security, (2) full vs. round-reduced primitives, and (3) fixedvs. variable-length outputs. From this point of view, we identify remaining gaps in the spectrum and fill them with the proposal of several highly secure and efficient fixedand variable-output-length PRFs. We fork SoP and STH to ForkPRF and ForkSTH, extend STH to the variable-outputlength construction STHCENC, which bridges the gap between CTR mode and CENC,and propose ForkCENC, ForkSTHCENC, ForkEDMD, as well as ForkEDM-CTR as the variable-output-length and round-reduced versions of CENC, STH, FastPRF, and FastPRF’s dual, respectively. Using recent results on Patarin’s general Mirror Theory, we have proven that almost all our proposed PRFs are optimally secure under the assumption that the permutations are pairwise independent and random and STH achieves the optimal security depending on the output length. Our constructions can be highly efficient in practice. We propose efficient instantiations from round-reduced AES and back it with the cryptanalysis lessons learned from existing earlier analysis of AES-based primitives.