At ASIACRYPT 1991, Even and Mansour introduced a block cipher construction based on a single permutation. Their construction has since been lauded for its simplicity, yet also criticized for not providing the same security as other block ciphers against generic attacks. In this paper, we prove that if a small number of plaintexts are encrypted under multiple independent keys, the Even-Mansour construction surprisingly offers similar security as an ideal block cipher with the same block and key size. Note that this multi-key setting is of high practical relevance, as real-world implementations often allow frequent rekeying. We hope that the results in this paper will further encourage the use of the Even-Mansour construction, especially when a secure and efficient implementation of a key schedule would result in significant overhead.

https://lirias.kuleuven.be/bitstream/123456789/511051/2/article-2521.pdf

Multi-Key Security: The Even-Mansour Construction Revisited

While modern block ciphers, such as AES, have a block size of at least 128 bits, there are many 64-bit block ciphers, such as 3DES and Blowfish, that are still widely supported in Internet security protocols such as TLS, SSH, and IPsec. When used in CBC mode, these ciphers are known to be susceptible to collision attacks when they are used to encrypt around 232 blocks of data (the so-called birthday bound). This threat has traditionally been dismissed as impractical since it requires some prior knowledge of the plaintext and even then, it only leaks a few secret bits per gigabyte. Indeed, practical collision attacks have never been demonstrated against any mainstream security protocol, leading to the continued use of 64-bit ciphers on the Internet. In this work, we demonstrate two concrete attacks that exploit collisions on short block ciphers. First, we present an attack on the use of 3DES in HTTPS that can be used to recover a secret session cookie. Second, we show how a similar attack on Blowfish can be used to recover HTTP BasicAuth credentials sent over OpenVPN connections. In our proof-of-concept demos, the attacker needs to capture about 785GB of data, which takes between 19-38 hours in our setting. This complexity is comparable to the recent RC4 attacks on TLS: the only fully implemented attack takes 75 hours. We evaluate the impact of our attacks by measuring the use of 64-bit block ciphers in real-world protocols. We discuss mitigations, such as disabling all 64-bit block ciphers, and report on the response of various software vendors to our responsible disclosure of these attacks.

/pdf/on-the-practical-in-security-of-64-bit-block-ciphers-4juej4b1du.pdf

On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN.

It is widely known that double encryption does not substantially increase the security of a block cipher. Indeed, the classical meet-in-the middle attack recovers the 2k-bit secret key at the cost of roughly $2^k$ off-line enciphering operations, in addition to very few known plaintext-ciphertext pairs. Thus, essentially as efficiently as for the underlying cipher with a k-bit key.

The Multi-User Security of Double Encryption.

At CRYPTO ’12, Landecker et al. introduced the cascaded LRW2 (or CLRW2) construction and proved that it is a secure tweakable block cipher up to roughly $$ 2^{2n/3} $$ queries. Recently, Mennink has presented a distinguishing attack on CLRW2 in $$ 2n^{1/2}2^{3n/4} $$ queries. In the same paper, he discussed some non-trivial bottlenecks in proving tight security bound, i.e., security up to $$ 2^{3n/4} $$ queries. Subsequently, he proved security up to $$ 2^{3n/4} $$ queries for a variant of CLRW2 using 4-wise independent AXU assumption and the restriction that each tweak value occurs at most $$ 2^{n/4} $$ times. Moreover, his proof relies on a version of mirror theory which is yet to be publicly verified. In this paper, we resolve the bottlenecks in Mennink’s approach and prove that the original CLRW2 is indeed a secure tweakable block cipher up to roughly $$ 2^{3n/4} $$ queries. To do so, we develop two new tools: First, we give a probabilistic result that provides improved bound on the joint probability of some special collision events, and second, we present a variant of Patarin’s mirror theory in tweakable permutation settings with a self-contained and concrete proof. Both these results are of generic nature and can be of independent interests. To demonstrate the applicability of these tools, we also prove tight security up to roughly $$ 2^{3n/4} $$ queries for a variant of DbHtS, called DbHtS-p, that uses two independent universal hash functions.

Tight Security of Cascaded LRW2.

This paper revisits the multi-user (mu) security of symmetric encryption, from the perspective of delivering an analysis of the $\mathsf {AES\text {-}GCM\text {-}SIV}$ AEAD scheme. Our end result shows that its mu security is comparable to that achieved in the single-user setting. In particular, even when instantiated with short keys (e.g., 128 bits), the security of $\mathsf {AES\text {-}GCM\text {-}SIV}$ is not impacted by the collisions of two user keys, as long as each individual nonce is not re-used by too many users. Our bounds also improve existing analyses in the single-user setting, in particular when messages of variable lengths are encrypted. We also validate security against a general class of key-derivation methods, including one that halves the complexity of the final proposal.

/pdf/revisiting-aes-gcm-siv-multi-user-security-faster-key-3u8xvh0vno.pdf

Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds.

Double-block Hash-then-Sum (DbHtS) MACs are a class of MACs that aim for achieving beyond-birthday-bound security, including SUM-ECBC, PMAC_Plus, 3kf9 and LightMAC_Plus. Recently Datta et al. (FSE’19), and then Kim et al. (Eurocrypt’20) prove that DbHtS constructions are secure beyond the birthday bound in the single-user setting. However, by a generic reduction, their results degrade to (or even worse than) the birthday bound in the multi-user setting.

Revisiting the Security of DbHtS MACs: Beyond-Birthday-Bound in the Multi-user Setting

We study the security of $\mathsf {CTR\text {-}DRBG}$, one of NIST’s recommended Pseudorandom Number Generator (PRNG) designs Recently, Woodage and Shumow (Eurocrypt’ 19), and then Cohney et al (S&P’ 20) point out some potential vulnerabilities in both NIST specification and common implementations of $\mathsf {CTR\text {-}DRBG}$ While these researchers do suggest counter-measures, the security of the patched $\mathsf {CTR\text {-}DRBG}$ is still questionable Our work fills this gap, proving that $\mathsf {CTR\text {-}DRBG}$ satisfies the robustness notion of Dodis et al (CCS’13), the standard security goal for PRNGs

Security Analysis of NIST CTR-DRBG

This paper revisits the fundamental cryptographic problem of building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We prove that, SUMPIP, i.e. $$P \oplus P^{-1}$$P?P-1, the sum of a PRP and its inverse, and EDMDSP, the single-permutation variant of the "dual" of the Encrypted Davies---Meyer scheme introduced by Mennink and Neves (CRYPTO 2017), are secure PRFs up to $$2^{2n/3}/n$$22n/3/n adversarial queries. To our best knowledge, SUMPIP is the first parallelizable, single-permutation-based, domain-preserving, beyond-birthday secure PRP-to-PRF conversion method.

Beyond-birthday secure domain-preserving PRFs from a single permutation

We analyze the multi-user security of the streaming encryption in Google's Tink library via an extended version of the framework of nonce-based online authenticated encryption of Hoang et al. (CRYPTO'15) to support random-access decryption. We show that Tink's design choice of using random nonces and a nonce-based key-derivation function indeed improves the concrete security bound. We then give two better alternatives that are more robust against randomness failure. In addition, we show how to efficiently instantiate the key-derivation function via AES, instead of relying on HMAC-SHA256 like the current design in Tink. To accomplish this we give a multi-user analysis of the XOR-of-permutation construction of Bellare, Krovetz, and Rogaway (EUROCRYPT'98).

Security of Streaming Encryption in Google's Tink Library

ISO/IEC 9797-1 is an international standard for block-cipher-based Message Authentication Code (MAC). The current version ISO/IEC 9797-1:2011 specifies six single-pass CBC-like MAC structures that are capped at the birthday bound security. For a higher security that is beyond-birthday bound, it recommends to use the concatenation combiner of two single-pass MACs. In this paper, we reveal the invalidity of the suggestion, by presenting a birthday bound forgery attack on the concatenation combiner, which is essentially based on Joux’s multi-collision. Notably, our new forgery attack for the concatenation of two MAC Algorithm 1 with padding scheme 2 only requires 3 queries. Moreover, we look for patches by revisiting the development of ISO/IEC 9797-1 with respect to the beyond-birthday bound security. More specifically, we evaluate the XOR combiner of single-pass CBC-like MACs, which was used in previous version of ISO/IEC 9797-1.

Yaobin Shen

Papers

Revisiting the Security of DbHtS MACs: Beyond-Birthday-Bound in the Multi-user Setting

Security Analysis of NIST CTR-DRBG

Beyond-birthday secure domain-preserving PRFs from a single permutation

Security of Streaming Encryption in Google's Tink Library

On Beyond-Birthday-Bound Security: Revisiting the Development of ISO/IEC 9797-1 MACs