46 research outputs found
CENC is Optimally Secure
At FSE 2006, Iwata introduced the CENC encryption mode and proved its security up to 2^{2n/3} plaintext blocks processed in total. He conjectured optimal security up to a constant. In this brief note, we confirm this conjecture. Rather than proving it ourselves, we point out that the conjecture\u27s proof follows as a corollary of Patarin\u27s ``Theorem P_i xor P_j for any xi_max\u27\u27 from 2010. This connection appears to have remained unnoticed, and the sole purpose of this brief note is to make the connection explicit
Forking Sums of Permutations for Optimally Secure and Highly Efficient PRFs
The desirable encryption scheme possesses high PRF security, high efficiency, and the ability to produce variable-length outputs. Since designing dedicated secure PRFs is difficult, a series of works was devoted to building optimally secure PRFs from the sum of independent permutations (SoP), Encrypted Davies-Meyer (EDM), its Dual (EDMD), and the Summation-Truncation Hybrid (STH) for variable output lengths, which can be easily instantiated from existing permutations. For increased efficiency, reducing the number of operations in established primitives has been gaining traction: Mennink and Neves pruned EDMD to FastPRF, and Andreeva et al. introduced ForkCiphers, which take an n-bit input, process it through a reduced-round permutation, fork it into two states, and feed each of them into another reduced-round permutation to produce a 2n-bit output. The constructions above can be used in secure variable-length modes or generalizations such as MultiForkCiphers.
In this paper, we suggest a framework of those constructions in terms of the three desiderata: we span the spectrum of (1) output length vs. PRF security, (2) full vs. round-reduced primitives, and (3) fixed- vs. variable-length outputs. From this point of view, we identify remaining gaps in the spectrum and fill them with the proposal of several highly secure and efficient fixed- and variable-output-length PRFs.
We fork SoP and STH to ForkPRF and ForkSTH, extend STH to the variable-output-length construction STHCENC, which bridges the gap between CTR mode and CENC,and propose ForkCENC, ForkSTHCENC, ForkEDMD, as well as ForkEDM-CTR as the variable-output-length and round-reduced versions of CENC, STH, FastPRF, and FastPRF\u27s dual, respectively.
Using recent results on Patarin\u27s general Mirror Theory, we have proven that almost all our proposed PRFs are optimally secure under the assumption that the permutations are pairwise independent and random and STH achieves the optimal security depending on the output length. Our constructions can be highly efficient in practice. We propose efficient instantiations from round-reduced AES and back it with the cryptanalysis lessons learned from existing earlier analysis of AES-based primitives
XOCB: Beyond-Birthday-Bound Secure Authenticated Encryption Mode with Rate-One Computation (Full Version)
We present a new block cipher mode of operation for authenticated encryption (AE), dubbed XOCB, that has the following features: (1) beyond-birthday-bound (BBB) security based on the standard pseudorandom assumption of the internal block cipher if the maximum block length is sufficiently smaller than the birthday bound, (2) rate-1 computation, and (3) supporting any block cipher with any key length. Namely, XOCB has effectively the same efficiency as the seminal OCB while having stronger quantitative security without any change in the security model or the required primitive in OCB. Although numerous studies have been conducted in the past, our XOCB is the first mode of operation to achieve these multiple goals simultaneously
Proof of Mirror Theory for a Wide Range of
In CRYPTO\u2703, Patarin conjectured a lower bound on the number of distinct solutions satisfying a system of equations of the form such that , are pairwise distinct. This result is known as \emph{`` Theorem for any \u27\u27} or alternatively as \emph{Mirror Theory for general }, which was later proved by Patarin in ICISC\u2705. Mirror theory for general stands as a powerful tool to provide a high-security guarantee for many blockcipher-(or even ideal permutation-) based designs. Unfortunately, the proof of the result contains gaps that are non-trivial to fix. In this work, we present the first complete proof of the theorem for a wide range of , typically up to order . Furthermore, our proof approach is made simpler by using a new type of equation, dubbed link-deletion equation, that roughly corresponds to half of the so-called orange equations from earlier works. As an illustration of our result, we also revisit the security proofs of two optimally secure blockcipher-based pseudorandom functions, and -bit security proof for six round Feistel cipher, and provide updated security bounds
Revisiting Variable Output Length XOR Pseudorandom Function
Let σ be some positive integer and C ⊆ {(i, j) : 1 ≤ i < j ≤ σ}. The theory behind finding a lower bound on the number of distinct blocks P1, . . . , Pσ ∈ {0, 1}n satisfying a set of linear equations {Pi ⊕Pj = ci,j : (i, j) ∈ C} for some ci,j ∈ {0, 1}n, is called mirror theory. Patarin introduced the mirror theory and provided a proof for this. However, the proof, even for a special class of equations, is complex and contains several non-trivial gaps. As an application of mirror theory, XORP[w] (known as XOR construction) returning (w−1) block output, is a pseudorandom function (PRF) for some parameter w, called width. The XOR construction can be seen as a basic structure of some encryption algorithms, e.g., the CENC encryption and the CHM authenticated encryption, proposed by Iwata in 2006. Due to potential application of XORP[w] and the nontrivial gaps in the proof of mirror theory, an alternative simpler analysis of PRF-security of XORP[w] would be much desired. Recently (in Crypto 2017) Dai et al. introduced a tool, called the χ2 method, for analyzing PRF-security. Using this tool, the authors have provided a proof of PRF-security of XORP[2] without relying on the mirror theory. In this paper, we resolve the general case; we apply the χ2 method to obtain a simpler security proof of XORP[w] for any w ≥ 2. For w = 2, we obtain a tighter bound for a wider range of parameters than that of Dai et al.. Moreover, we consider variable width construction XORP[∗] (in which the widths are chosen by adversaries adaptively), and also provide variable output length pseudorandom function (VOLPRF) security analysis for it. As an application of VOLPRF, we propose an authenticated encryption which is a simple variant of CHM or AES-GCM and provides much higher security than those at the cost of one extra blockcipher call for every message
CENCPP* - Beyond-birthday-secure Encryption from Public Permutations
Public permutations have been established as important primitives for the purpose of designing cryptographic schemes.
While many such schemes for authentication and encryption have been proposed in the past decade, the birthday bound in terms of the primitive\u27s block length has been mostly accepted as the standard security goal.
Thus, remarkably little research has been conducted yet on permutation-based modes with higher security guarantees.
At CRYPTO\u2719, Chen et al. showed two constructions with higher security based on the sum of two public permutations.
Their work has sparked increased interest in this direction by the community.
However, since their proposals were domain-preserving, the question of encryption schemes with beyond-birthday-bound security was left open. This work tries to address this gap by proposing , a nonce-based encryption scheme from public permutations. Our proposal is a variant of Iwata\u27s block-cipher-based mode \textsf{CENC} that we adapt for public permutations, thereby generalizing Chen et al.\u27s Sum-of-Even-Mansour construction to a mode with variable output lengths. Like \textsf{CENC}, our proposal enjoys a comfortable rate-security trade-off that needs calls to the primitive for primitive outputs. We show a tight security level for up to primitive calls. While the term of can be arbitrary, two independent keys suffice. Beyond our proposal of in a generic setting with independent permutations, we show that only bits of the input for domain separation suffice to obtain a single-permutation variant with a security level of up to queries
The Summation-Truncation Hybrid: Reusing Discarded Bits for Free
A well-established PRP-to-PRF conversion design is truncation: one evaluates an -bit pseudorandom permutation on a certain input, and truncates the result to bits. The construction is known to achieve tight security. Truncation has gained popularity due to its appearance in the GCM-SIV key derivation function (ACM CCS 2015). This key derivation function makes four evaluations of AES, truncates the outputs to bits, and concatenates these to get a -bit subkey.
In this work, we demonstrate that truncation is wasteful. In more detail, we present the Summation-Truncation Hybrid (STH). At a high level, the construction consists of two parallel evaluations of truncation, where the truncated -bit chunks are not discarded but rather summed together and appended to the output. We prove that STH achieves a similar security level as truncation, and thus that the bits of extra output is rendered for free. In the application of GCM-SIV, the current key derivation can be used to output bits of random material, or it can be reduced to three primitive evaluations. Both changes come with no security loss
Beyond Birthday Bound Secure MAC in Faulty Nonce Model
Encrypt-then-MAC (EtM) is a popular mode for authenticated encryption (AE). Unfortunately, almost all designs following the EtM paradigm, including the AE suites for TLS, are vulnerable against nonce misuse. A single repetition of the nonce value reveals the hash key, leading to a universal forgery attack. There are only two authenticated encryption schemes following the EtM paradigm which can resist nonce misuse attacks, the GCM-RUP (CRYPTO-17) and the GCM/2+ (INSCRYPT-12). However, they are secure only up to the birthday bound in the nonce respecting setting, resulting in a restriction on the data limit for a single key. In this paper we show that nEHtM, a nonce-based variant of EHtM (FSE-10) constructed using a block cipher, has a beyond birthday bound (BBB) unforgeable security that gracefully degrades under nonce misuse. We combine nEHtM with the CENC (FSE-06) mode of encryption using the EtM paradigm to realize a nonce-based AE, CWC+. CWC+ is very close (requiring only a few more xor operations) to the CWC AE scheme (FSE-04) and it not only provides BBB security but also gracefully degrading security on nonce misuse
Design and implementation of robust systems for secure malware detection
Malicious software (malware) have significantly increased in terms of number and effectiveness
during the past years. Until 2006, such software were mostly used to disrupt
network infrastructures or to show coders’ skills. Nowadays, malware constitute a very
important source of economical profit, and are very difficult to detect. Thousands of
novel variants are released every day, and modern obfuscation techniques are used to
ensure that signature-based anti-malware systems are not able to detect such threats.
This tendency has also appeared on mobile devices, with Android being the most targeted
platform. To counteract this phenomenon, a lot of approaches have been developed
by the scientific community that attempt to increase the resilience of anti-malware systems.
Most of these approaches rely on machine learning, and have become very popular
also in commercial applications. However, attackers are now knowledgeable about these
systems, and have started preparing their countermeasures. This has lead to an arms
race between attackers and developers. Novel systems are progressively built to tackle
the attacks that get more and more sophisticated. For this reason, a necessity grows
for the developers to anticipate the attackers’ moves. This means that defense systems
should be built proactively, i.e., by introducing some security design principles in their
development. The main goal of this work is showing that such proactive approach can
be employed on a number of case studies. To do so, I adopted a global methodology that
can be divided in two steps. First, understanding what are the vulnerabilities of current
state-of-the-art systems (this anticipates the attacker’s moves). Then, developing novel
systems that are robust to these attacks, or suggesting research guidelines with which
current systems can be improved. This work presents two main case studies, concerning
the detection of PDF and Android malware. The idea is showing that a proactive approach
can be applied both on the X86 and mobile world. The contributions provided on
this two case studies are multifolded. With respect to PDF files, I first develop novel attacks
that can empirically and optimally evade current state-of-the-art detectors. Then,
I propose possible solutions with which it is possible to increase the robustness of such
detectors against known and novel attacks. With respect to the Android case study,
I first show how current signature-based tools and academically developed systems are
weak against empirical obfuscation attacks, which can be easily employed without particular
knowledge of the targeted systems. Then, I examine a possible strategy to build a
machine learning detector that is robust against both empirical obfuscation and optimal
attacks. Finally, I will show how proactive approaches can be also employed to develop
systems that are not aimed at detecting malware, such as mobile fingerprinting systems.
In particular, I propose a methodology to build a powerful mobile fingerprinting system,
and examine possible attacks with which users might be able to evade it, thus preserving
their privacy. To provide the aforementioned contributions, I co-developed (with the cooperation
of the researchers at PRALab and Ruhr-Universität Bochum) various systems:
a library to perform optimal attacks against machine learning systems (AdversariaLib),
a framework for automatically obfuscating Android applications, a system to the robust
detection of Javascript malware inside PDF files (LuxOR), a robust machine learning system
to the detection of Android malware, and a system to fingerprint mobile devices. I
also contributed to develop Android PRAGuard, a dataset containing a lot of empirical
obfuscation attacks against the Android platform. Finally, I entirely developed Slayer
NEO, an evolution of a previous system to the detection of PDF malware. The results
attained by using the aforementioned tools show that it is possible to proactively build
systems that predict possible evasion attacks. This suggests that a proactive approach
is crucial to build systems that provide concrete security against general and evasion
attacks