EME* - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

EME*

Description:

ciphertext = E(key, tweak, plaintext), plaintext = D(key, tweak, ciphertext) ... Security [Liskov-Rivest-Wagner`02] Attacker has access to E(t,x), D(t,x) ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 18
Provided by: shai167
Category:
Tags: eme | wagner

less

Transcript and Presenter's Notes

Title: EME*


1
EME
  • Extending EME to handle arbitrary-length messages
    with associated data

Shai Halevi - IBM
2
Background length-preserving tweakable encryption
  • Goal enciphering/deciphering routines
    ciphertext E(key, tweak, plaintext), plaintext
    D(key, tweak, ciphertext)
  • ciphertext-length plaintext-length
  • key is fixed and secret
  • tweak is arbitrary (even adversarially chosen)
  • Should look like
  • A block cipher with block-size plaintext-length
  • Different tweaks look like independent keys

3
Inherent limitations
  • Using this for encryption has problems
  • Deterministic attacker can easily check if two
    plaintexts are the same
  • If they use the same tweak
  • No explicit authentication any ciphertext is
    decrypted as something
  • An active attacker maybe able to exploit it

4
So why would we want this?
  • Transparent encryption
  • Adding encryption to legacy systems
  • Lengths can not change
  • Tweakable encryption is the best we can do
  • 1st application sector-level encryption
  • Block-size 512 bytes, tweak?16 bytes
  • But also some communication protocols
  • Other block sizes, even variable

5
Security Liskov-Rivest-Wagner02
  • Attacker has access to E(t,x), D(t,x)
  • Either EEnc(K,t,x), DDec(K,t,x)
  • K fixed, random and secret
  • Or for each T
  • ET(x)E(T,x) is a random (length-preserving)
    permutation, independent of other Ts
  • DT (ET)-1
  • The attacker cannot tell which it is
  • Except with insignificant advantage

6
Tweakable enciphering modes
  • Building such enciphering/deciphering procedures
    from a block cipher with small blocks (e.g.,
    AES with 16 bytes)
  • When using a good cipher with n-bit blocks,
    should get (provable) security of

(total-number-of-block-encryptions)2

2n
7
EME mode HR04
  • Invented for sector-level encryption
  • Tweak 16 bytes, blocks 512 bytes
  • Using AES (on 16 bytes)
  • And some other very simple operations
  • xor, multiply-by-2 in GF(2128)
  • Two layers of masked ECB, and lightweight
    mixing in between

8
EME mode
P1
P2
P3
P4
  • EK AES with key K
  • L another key
  • Derived from K
  • T tweak
  • MP T?Si PPPi
  • MC EK(MP)
  • M MP ? MC
  • CCC1 MC?T?Sigt1CCCi

L
2L
4L
8L
EK
EK
EK
EK
PPP1
PPP4
PPP2
PPP3
T?SPPP
MP
EK
2M
4M
8M
MC
T?SCCC
CCC1
CCC4
CCC2
CCC3
EK
EK
EK
EK
L
2L
4L
8L
C1
C2
C3
C4
9
Limitations of EME
  • Tweak must be exactly 16 bytes
  • Input size must be a multiple of 16 bytes
  • Input cannot exceed 2KB (128 AES blocks)
  • EME is insecure for longer blocks
  • Due to linearity of usage of the mask M
  • Using 2M, 4M, , 2iM for xor-ing in the middle
  • Not a problem for 512-byte sectors
  • But in other contexts this is too limiting

10
Removing the limitations
  • Arbitrary-length tweak
  • aka associated data
  • Blocks longer than 2KB
  • Similar to EME from appendix of HR04
  • Arbitrary-length blocks
  • But not less than 16 bytes

11
Arbitrary-length tweak
  • Hash the tweak in a PMAC-like fashion
  • Tweak T T1 T2 Tr Tr1
  • Each Ti is 16 bytes, Tr1 can be shorter
  • R is another random key
  • T Si EK(2iR ? Ti) ? 2iR
  • Partial block at end treated differently
  • Adding 2iR outside the encryption probably not
    needed, but easier to prove this way

12
Blocks longer than 2KB
  • Use more than one mask, M1,M2
  • Each derived from EK(), used for 128 blocks

P128
P129
P130
P131

EK
EK
EK
EK
T?SPPP
PPP128
PPP130
PPP131
PPP129
MP1


EK
2127M1
MC1
T?SCCC
CCC128
CCC129
CCC130
CCC131
EK
EK
EK
EK

C128
C129
C130
C131
13
Arbitrary-length input
  • Use yet another mask (call it MM)

Pt1 (partial)
Pt
P1
P2

PPP1
T?SPPP

T?SCCC
CCCn1
C1
Ct1(partial)
Ct
C2
14
The end-result EME
15
Security
  • An attacker that makes q queries, totaling (Ld,
    La) blocks, has advantage at most
    (La2.25(qLd))2 / 2n
  • Proof is long
  • But not hard (given the proof of EME)

16
Backward compatibility
  • When input is a multiple of 16-bytes and no more
    than 2KB, EME is almost the same as EME
  • Only difference is hashing of the tweak
  • So implementations of EME should be able to
    re-use hardware/software when doing EME

17
Conclusions
  • EME extends EME to handle arbitrary-long input,
    arbitrary-long tweaks
  • But input cannot be less than 16 bytes
  • Handling very short inputs is open problem
  • EME maintains essentially the same efficiency
    parameters as EME
  • Long version on ePrint
  • http//eprint.iacr.org/2004/125/
Write a Comment
User Comments (0)
About PowerShow.com