HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption

1. HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption Tetsu Iwata (Nagoya University, Japan) Kan Yasuda (NTT Corporation, Japan) FSE 2009 2009 Feb. 25, Leuven, Belgium

2. Table of contents • Background and motivation • Authenticated encryption (AE) • Deterministic AE (DAE) • Previous work: SIV • HBS (Hash Block Stealing) • How it works • Its efficiency and security

3. Background (AE) • Blockcipher modes of operation • Two goals: • To establish authenticity(data integrity) • To preserve privacy(data confidentiality) • Authenticated Encryption (AE) • Concurrently achieves the two goals

4. Background (AE, nonce-based) • AE • CCM, GCM, OCB, … • Usually uses a randomized salt or state-dependent value • Formalized as nonce-based AE [Rogaway 2001, 2002, 2004] • Nonce • Never repeat the same value, or lose all security

5. Table of contents • Background and motivation • Authenticated encryption (AE) • Deterministic AE (DAE) • Previous work: SIV • HBS (Hash Block Stealing) • How it works • Its efficiency and security

6. Background (DAE) • Nonce misuse • Settled by Deterministic Authenticated Encryption (DAE)[Rogaway – Shrimpton 2006] • DAE • “Secure” even if the same value is used (all an adversary can do is to detect the repetition)

7. Background (How DAE works) • Deterministic algorithms • Encryption • Input: (Header H, Message M) Output: (Tag T, Encrypted Msg C) • Decryption • Verifies (H, T, C) • Outputs either  or M

8. Security definition of DAE H, M H, T, C H, M H, T, C Enc Dec Random  ?  / M T, C  $$$ Cannotdistinguish Ideal Real Adversaries

9. Table of contents • Background and motivation • Authenticated encryption (AE) • Deterministic AE (DAE) • Previous work: SIV • HBS (Hash Block Stealing) • How it works • Its efficiency and security

10. SIV mode of operation • A concrete DAE mode [Rogaway – Shrimpton Eurocrypt 2006] • “MAC-then-Encrypt” • Entirely blockcipher-based • Uses CMAC* (vectorized CMAC) for authentication • Uses CTR mode for encryption • Requires two keys

11. Motivation: • Can we construct a single-keyDAE mode?

12. Table of contents • Background and motivation • Authenticated encryption (AE) • Deterministic AE (DAE) • Previous work: SIV • HBS (Hash Block Stealing) • How it works • Its efficiency and security

13. HBS (Hash Block Stealing) • The HBS mode • Single-key • Also “MAC-then-Encrypt” style • New polynomial-hashing for MAC • “Odd” CTR (counter) mode for Enc

14. Vector-input (VI) polynomial hashing • Motivation: • Two different inputs (H,M)  (H’,M’) • We may have H || M = H’ || M’ • Cannot use string-input polynomial hash • New notion: VI-–AXU hash functionFor any (H,M)  (H’,M’) and Y Pr[ HashL(H,M)  HashL(H’,M’)=Y] ≤  Pr is over random hash keys L

15. How to construct VI--AXU hash • Finite-field polynomial • L = EK(0n) is the hashing key • For header H = H0H1H2 andmessage M = M0M1M2hash value S = L7 L5H0 L3H1 LH2 L8  L6M0 L4M1  L2M2 • Use odd for header and even for message • Note the additional leading terms

16. Produce tag and “Steal” hash Header Message PolynomialHash S Steal the hash “block”and use it as IVfor the CTR mode EK Tag

17. “Odd” CTR mode  XOR<x> Integer x rep. as bit string S  <1> S  <2> S  <3> EK EK EK Necessary forthe securityof HBS   M0 M1  M2 C0 C1 C2

18. Table of contents • Background and motivation • Authenticated encryption (AE) • Deterministic AE (DAE) • Previous work: SIV • HBS (Hash Block Stealing) • How it works • Its efficiency and security

19. Efficiency comparison Header h blocks, message m blocks

20. Security of HBS mode • Secure under the assumption that the blockcipher E is a SPRP • Security theorem:AdvDAE(HBS) ≤ AdvSPRP(E) + 33q2(1+h+2m)2/2n • q max # of queries • h max length of each header • m max length of each message

21. Thank you very much.