1 HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption Tetsu Iwata (Nagoya University, Japan) Kan Yasuda (NTT Corporation, Japan) FSE Feb. 25, Leuven, Belgium

2 Table of contents Background and motivation  Authenticated encryption (AE)  Deterministic AE (DAE)  Previous work: SIV HBS (Hash Block Stealing)  How it works  Its efficiency and security

3 Background (AE) Blockcipher modes of operation Two goals:  To establish authenticity (data integrity)  To preserve privacy (data confidentiality) Authenticated Encryption (AE)  Concurrently achieves the two goals

4 Background (AE, nonce-based) AE  CCM, GCM, OCB, …  Usually uses a randomized salt or state-dependent value  Formalized as nonce-based AE [Rogaway 2001, 2002, 2004] Nonce  Never repeat the same value, or lose all security

5 Table of contents Background and motivation  Authenticated encryption (AE)  Deterministic AE (DAE)  Previous work: SIV HBS (Hash Block Stealing)  How it works  Its efficiency and security

6 Background (DAE) Nonce misuse  Settled by Deterministic Authenticated Encryption (DAE) [Rogaway – Shrimpton 2006] DAE  “Secure” even if the same value is used (all an adversary can do is to detect the repetition)

7 Background (How DAE works) Deterministic algorithms Encryption  Input: (Header H, Message M) Output: (Tag T, Encrypted Msg C) Decryption  Verifies (H, T, C)  Outputs either  or M

8 Security definition of DAE Enc H, M T, C Adversaries Cannot distinguish ? Dec H, T, C  / M Random H, M $$$  H, T, C  Real Ideal

9 Table of contents Background and motivation  Authenticated encryption (AE)  Deterministic AE (DAE)  Previous work: SIV HBS (Hash Block Stealing)  How it works  Its efficiency and security

10 SIV mode of operation A concrete DAE mode [Rogaway – Shrimpton Eurocrypt 2006] “MAC-then-Encrypt” Entirely blockcipher-based  Uses CMAC* (vectorized CMAC) for authentication  Uses CTR mode for encryption Requires two keys

11 Motivation: Can we construct a single-key DAE mode?

12 Table of contents Background and motivation  Authenticated encryption (AE)  Deterministic AE (DAE)  Previous work: SIV HBS (Hash Block Stealing)  How it works  Its efficiency and security

13 HBS (Hash Block Stealing) The HBS mode  Single-key  Also “MAC-then-Encrypt” style  New polynomial-hashing for MAC  “Odd” CTR (counter) mode for Enc

14 Vector-input (VI) polynomial hashing Motivation:  Two different inputs (H,M)  (H’,M’)  We may have H || M = H’ || M’  Cannot use string-input polynomial hash New notion: VI-  –AXU hash function For any (H,M)  (H’,M’) and Y Pr[ Hash L (H,M)  Hash L (H’,M’)=Y] ≤  Pr is over random hash keys L

15 How to construct VI-  -AXU hash Finite-field polynomial L = E K (0 n ) is the hashing key For header H = H 0 H 1 H 2 and message M = M 0 M 1 M 2 hash value S = L 7  L 5 H 0  L 3 H 1  LH 2  L 8  L 6 M 0  L 4 M 1  L 2 M 2 Use odd for header and even for message Note the additional leading terms

16 Produce tag and “Steal” hash Polynomial Hash HeaderMessage Tag EKEK S Steal the hash “block” and use it as IV for the CTR mode

17 “Odd” CTR mode M0M0 EKEK S   C0C0 M1M1 EKEK  C1C1 M2M2 EKEK  C2C2  XOR Integer x rep. as bit string Necessary for the security of HBS

18 Table of contents Background and motivation  Authenticated encryption (AE)  Deterministic AE (DAE)  Previous work: SIV HBS (Hash Block Stealing)  How it works  Its efficiency and security

19 Efficiency comparison SIVHBS # of blockcipher keys 21 # of calls to blockcipher h + 2m + 2m + 2 # of multiplications 0h + m + 2 Header h blocks, message m blocks

20 Security of HBS mode Secure under the assumption that the blockcipher E is a SPRP Security theorem: Adv DAE (HBS) ≤ Adv SPRP (E) + 33q 2 (1+h+2m) 2 /2 n q max # of queries h max length of each header m max length of each message

21 Thank you very much.