Exponential Attacks

1
Exponential Attacks
on Blockcipher Families

• Hakan Ali-John Seyalioglu

2
The Problem.

• To give the first formal and thorough treatment
  of a class of tweakable blockciphers with
  exponential adversaries.

3
Definitions.

• Blockcipher An algorithm which takes in two
  inputs
• The Message A binary sequence taken from 0,1
  to be encrypted.
• The Key A binary sequence taken from 0,1 which
  initiates the blockcipher. We assume that a
  secure blockcipher is secure initialized under
  any key.

k
k
4
Definitions.

• Tweakable Blockcipher An algorithm which takes
  in three inputs
• The Message
• The Key
• The Tweak An index for the blockcipher. A secure
  tweakable blockcipher acts as a secure
  independent blockcipher on each tweak.

5
Security Definitions (1).

• The Adversary A Turing machine whose function is
  to distinguish between the blockcipher and a
  random permutation with non-negligible
  probability.

• Negligible function A function (in our case, of
  the security parameter k) which, with
  sufficiently large input, grows slower than any
  inverse polynomial.

-k
-k/c
Example. 2, 2
6
Security Definitions (2).

• Security for a Blockcipher.
• A blockcipher is said to be secure if it is
  indistinguishable from a random
  permutation to a class of adversaries prescribed
  in the security definition.

Polynomial Security The adversary is limited to
a number of interactions with the blockcipher and
a number of computations bounded by a polynomial
in the security parameter 'k'.
Exponential Security The adversary is limited to
an exponential number of interactions with
the blockcipher and is allowed unbounded
computations
7
Security Definitions (3).

• Interactions.

KPA Known Plaintext Attack
CPA Chosen Plaintext Attack
CCA Chosen Ciphertext Attack
Example. A blockcipher that is KPA-P (Known
Plaintext - Polynomial) secure is secure against
all polynomial adversaries with access to a
random plaintext encryption transcript. A
blockcipher that is CCA-E (Chosen Ciphertext -
Exponential) secure is secure against all
exponential adversaries with access to encryption
and decryption queries.
8
Security Definitions (4).

• Security for a Tweakable Blockcipher.
• A tweakable blockcipher is said to be secure if
  it is indistinguishable from an independent
  family of random permutations indexed by the
  tweak.

Formalized by Liskov, Rivest and Wagner in 2002.
ETE
Provided CPA-P secure construction
HEH
And CCA-P secure construction
9
Proofs of Security.

• In this presentation, we will present attacks in
  the following manner.

If for any step, the probability between the left
and the right of the table is non-negligible, we
can construct a distinguishing function.
10
Part 1. TEH-Model.

• As a first step, we introduce a way of creating
  blockciphers in the spirit of LRW.
• Three operations are allowed on dataflow

Encrypt
XOR the Tweak
XOR a pseudorandom function call (hash) of the
Tweak
k
Attention Exponential implies of Queries ltlt 2
11
TEH-Model.

• Examples.

HE
C H(T) ? E (M)
HETEH
C H(T) ? E ( T ? E( H(T) ? M ))
12
A Few Attacks. TEH-Model.

• At this point, wed like to give several attacks.

13
A Few Attacks. TEH-Model.

• (Event 1)

Query 2 messages M, M with tweaks T, T
Check if E(M, T) ? E(M, T) E(M, T) ? E(M,
T)
Notice that if E HE E(M, T) H(T) ? E
(M) E(M, T) H(T) ? E (M)
So, E(M, T) ? E(M, T) E (M) ? E (M)
And, E(M, T) ? E(M, T) E (M) ? E (M)
14
A Few Attacks. TEH-Model.

• (Event 1)

Query 2 messages M, M with tweaks T, T
Check if E(M, T) ? E(M, T) E(M, T) ? E(M,
T)
Notice if E is the random permutation
Such a collision will occur with probability
exactly 2-k (it requires a coincidence on a
random permutation on 2k elements)
15
A Few Attacks. TEH-Model.

• Returning to the table.

It follows that this attack distinguishes easily.
16
A Few Attacks. TEH-Model.

• A second attack.

17
A Few Attacks. TEH-Model.

• (Event 2)

Query two messages M, M with 2k/2 tweaks
Check if there is an equality E(M, T) ? E(M,
T) E(M, T) ? E(M, T)
(This requires more than 2k/2 computations,
but we assume unbounded computational power)
18
A Few Attacks. TEH-Model.

• Evaluating Pt

Since H is a pseudorandom function from k bits
to k bits queried on 2k/2 distinct inputs,
we may assume with non-negligible probability, p,
for some T, T we have a collision of the type
H(T) H(T)
Which implies E(M, T) ? E(M, T) E (M ? H(T))
? E (M ? H(T))
And, E(M, T) ? E(M, T) E (M ? H(T)) ? E (M
? H(T))
And thus, Pt can be bounded below by p
19
A Few Attacks. TEH-Model.

• Evaluating Pr

Since E is a pseudorandom permutation from k
bits to k bits queried on 2k/2 distinct
inputs the probability that any pair matches in
this fashion can be bounded above by probability
p.
20
A Few Attacks. TEH-Model.

• Returning to the table.

Since we still can not distinguish with
non-negligible probability, we will introduce a
second step to the attack.
21
A Few Attacks. TEH-Model.

• The Second Event.

22
A Few Attacks. TEH-Model.

• (Event 2a)

(Event 2)
For all pairs T, T that produce the equality in
(Event 2).
Check if there is one equality E(M, T) ?
E(M, T) E(M, T) ? E(M, T)
For any M, M.
23
A Few Attacks. TEH-Model.

• Evaluating Pt

Notice that if we assume we have a collision of
the type
H(T) H(T)
Then, E(M, T) ? E(M, T) E(M, T) ?
E(M, T) For any M, M.
Therefore, the Pt is at least p, which is
non-negligible.
24
A Few Attacks. TEH-Model.

• Evaluating Pr

Recall, (Event 2) Since E is a pseudorandom
permutation from k bits to k bits queried on
2k/2 distinct inputs the probability that any
pair follows matches in this fashion can be
bounded above by probability p.
It is a result from probability that number of
such equalities is bounded by a polynomial in k
when E is a random function family. The
probability of getting the additional collision
described by (Event 2a) for any such collided
pair is 2-k. Since we have polynomially many
opportunities for an event of probability 2-k,
Pr is a negligible function.
25
A Few Attacks. TEH-Model.

• Returning to the table.

Since p is non-negligible, this is a
distinguishing attack.
26
A Final Attack. TEH-Model.

• We will provide one final attack

27
A Final Attack. TEH-Model.

• (Event 3)

Query 2k/2 messages with tweaks T, T
Check if there is an equality E(M, T) ? E(M,
T) E(M, T) ? E(M, T)
For all such equalities, take a second pair of
tweaks, T, T T ? T T ? T
Check if there is one equality E(M, T) ?
E(M, T) E(M, T) ? E(M, T)
28
A Final Attack. TEH-Model.

• This time, let us evaluate Pr first

Similar to (Event 2a), there are with probability
1-negligible, only polynomially many collisions
of the type
E(M, T) ? E(M, T) E(M, T) ? E(M, T)
Therefore, there being a collision of the type
E(M, T) ? E(M, T) E(M, T) ? E(M, T)
For one of these polynomially many pairs is
negligible.
Therefore, Pr is negligible.
29
A Final Attack. TEH-Model.

• Evaluating Pt

This time, we will assume with probability p, we
have a collision of the type
E(M) ? T E(M) ? T
Then, E(M, T) ? E(M, T) H(T) ? H(T) and,
E(M, T) ? E(M, T) H(T) ? H(T).
And thus, E(M, T) ? E(M, T) E(M, T) ? E(M,
T).
And the collision is preserved if T and T are
replaced with T, T
30
A Final Attack. TEH-Model.

• Returning to the table.

Therefore, this attack distinguishes successfully.
31
TEH-Model Results.

• It is trivial to verify that 3 operations are
  minimal for CCA-P security (LRW give
  construction).

• We prove that no 4 operation construction is
  CCA-E secure.

Conjecture HETEH is CCA-E secure.
32
Part 2. TX-Model.

• A way to make a Feistel network into a tweakable
  blockcipher with set modifications.

33
Definitions.

• Feistel Network.

A method to transform a fixed number of
pseudorandom functions into a pseudorandom
permutation.
The number of rounds a construction uses
corresponds to the number of pseudorandom
functions needed to construct it.
3 Rounds are CPA-P Secure and this is round
optimal
4 Rounds are CCA-P Secure and this is round
optimal

• Seminal work conducted by M. Luby and C. Rackoff

34
Definitions.

• Results of Patarin.

5 Rounds are CPA-E Secure and this is round
optimal
5 Rounds are CCA-E Secure and this is round
optimal
On input length 2k, dealt with security for
queries ltlt 2k because this is the most
security that can be assumed of the round
function.
35
TX-Model.

• In the model introduced, the tweak is allowed to
  be XOR'ed into the dataflow at any point.

Notice that on the figure to the right, any
location can be accessed and modified in the
desired fashion.
36
TX-Model.

• CGHLS Results

• There is a 4 round CPA-P and a 6 round CCA-P
  secure construction and these are round optimal

• There is a 7 round CPA-E and a 10 round CCA-E
  secure construction

We will show that there does not exist a secure 6
round CPA-E construction, proving minimality.
37
Our Methods. TX-Model.

• Reduction of Cases.

• Reduction of Cases.

• We may simulate away R , R , L and R
  modifications.

0
1
n
n

• Theorem 3.1.1. Any construction is equivalent to
  a construction with only R modifications.

i

• Example. R R R R

1.5
1
3
3
38
4 Attacks. TX-Model.

• We will provide four attacks which will suffice
  to distinguish every six round construction from
  a random permutation.

• In this presentation, we will represent any
  construction as a set of all the R locations at
  which a modification is made

Example. 1.5, 2, 4
39
Attack 1. TX-Model.

• Our first attack follows.

40
Attack 1. TX-Model.

• (Event 4)

Query one message M with 2k/2 tweaks.
Check if there is an equality E(M, T) E(M, T)
41
Attack 1. TX-Model.

• Evaluating Pt

We may assume, with non-negligible probability p
that there is a collision of the type
f (T) ? R f (T) ? R Where f is the function
for round i
i
i
Because we are querying a random function from
k bits to k bits with 2k/2 different
inputs.
Notice that if such a collision happens, the
entire ciphertext collides and (Event 4) is
satisfied.
42
Attack 1. TX-Model.

• Evaluating Pr

Pt is the probability of having a collision on
two independent random outputs from 2k bits to
2k bits.
Since we queried 2k/2 times and 2k/2 ltlt
2k, this probability is negligible.
43
Attack 1. TX-Model.

• Returning to the table.

Therefore, this attack distinguishes successfully.
44
Attack 2. TX-Model.

• Our second attack follows.

45
Attack 2. TX-Model.

• (Event 5)

Query one message M with 2k/2 tweaks.
Check if there is an equality E(M, T) E(M, T)
The proof for this case is identical to the
previous, except that instead of expecting a
collision of the type f (T) ? R f (T) ? R
We expect a collision of the type f (T) ? T ? R
f (T) ? T ? R
46
Attack 3. TX-Model.

• Our third attack follows.

Let n be the number of rounds.
47
Attack 3. TX-Model.

• (Event 6)

Query one message M with q tweaks where q
satisfies the following
If p is the probability of picking the same
element twice out of a set of 2k elements with
replacement with q chances
p and 1-p are both non-negligible
Check if there is an equality of the following
type L L Where L is the left side of the
output XORed by the tweak
48
Attack 3. TX-Model.

• Let us evaluate Pr first

Notice that each call is an independent random
permutation call on a fixed input. Therefore, the
probability of having such a collision is the
same as having a collision when picking random
elements out of a set with replacement.
Therefore, Pr p
49
Attack 3. TX-Model.

• Let us now evaluate Pt

Notice that if we have a collision on the
outputs of f for any two queries, such a
collision is automatic.
We may therefore assume that with probability p
such a collision always happens.
We will also show that in the case where all
outputs of f are distinct, there is a
non-negligible probability of such a collision.
50
Attack 3. TX-Model.
Let X denote the value of the dataflow at the R
location.
n-3
We would like the probability that all of the Y
R values are distinct.
n-2
Notice that if two X values are the same the Y
values must differ because the scheme acts as a
permutation after the point with the distinct
outputs of f.
The probability that all X values are distinct,
after taking into account bounds on q can be
bound below by .28.
51
Attack 3. TX-Model.
With distinct Y values, the probability of a
collision on two R values is p.
n-1
Such a collision immediately implies an L
collision as in the description of (Event 6).
It follows that the overall probability of (Event
6) is bounded below by
p (1-p)(.28)p
52
Attack 3. TX-Model.

• Therefore,

Which succeeds in distinguishing because of the
condition on p.
53
Attack 4. TX-Model.

• The last attack is similar,

This extension is identical of the extension of
Attack 1 to Attack 2 and is thus omitted.
54
Final Results. TX-Model.

• The figure on the right shows how these four
  attacks break all non-trivial constructions.

55
Our Results. TX-Model.
We show that there does not exist a secure 6
round CPA-E construction, proving minimality.
Unfortunately, improving on the 10 Round
construction is significantly more difficult, so
we look to another method for improving this
result.
56
TX2-Model.

• Motivated to improve on the 10 round CCA-E
  construction of CGHLS, we introduce a new model
  incorporating pseudorandom functions of the tweak
  to be XORed into the datastream.

Each new function needed counts as an extra
round, multiple uses of the same function call on
the tweak does not add to overhead.
57
Difficulties. TX2-Model.

• Reduction of Cases.

• Reduction of Cases.

• With Theorem 3.1.1. cases expand from 2 to
  (R2)

R2
R2

• Theorem 3.1.4.

58
Our Results. TX2-Model.
We give a 7 round CCA-E secure construction.
(Inspired by LRWs HEH construction).
We show that minimality for CPA-E and CCA-E is
either 6 or 7 rounds.
We give various security results for CCA-E
security
No construction with a single XOR of a function
call of the tweak in 6 rounds is CCA-E secure.
No construction with a single XOR of a function
call of the tweak and a single R modification
in 6 rounds is CCA-E secure.
i
59
Summary of Results.

• We formalize a method of constructing tweakable
  blockciphers using an underlying blockcipher as a
  black box and prove that no construction with
  four operations or less is secure.

• We analyse the model introduced by CGHLS and
  prove minimality for their CPA-E construction.

• We introduce a natural way to expand upon their
  model and provide a 3 round improvement on their
  CCA-E construction. We also prove several results
  towards minimality.

60
Thank You.
Questions?