PAEQ: Parallelizable Permutation-based
Authenticated Encryption
Alex Biryukov and Dmitry Khovratovich
University of Luxembourg
12 October 2014
Authenticated encryption
Simple encryption
If you just want to protect confidentiality of your data, you use (simple) symmetric encryption:
X
EK
C encrypt
N use and transmit
N Nonce Plaintext
Ciphertext
• Agree on the key K;
• Choose nonce N uniquely for each piece of data;
• Encrypt and send.
Good encryption scheme makes ciphertexts look random (even if plaintexts repeat).
No integrity protection.
Simple encryption
If you just want to protect confidentiality of your data, you use (simple) symmetric encryption:
X
EK
C encrypt
N use and transmit
N Nonce Plaintext
Ciphertext
• Agree on the key K;
• Choose nonce N uniquely for each piece of data;
• Encrypt and send.
Good encryption scheme makes ciphertexts look random (even if plaintexts repeat).
No integrity protection.
Encryption and authentication
If you also want to protect integrity of your data (i.e. authenticate the message), you use authenticated encryption:
X
EK
C T
authenticate encrypt and
N use and transmit
N Plaintext
Ciphertext
Tag
• Tag T is added to each ciphertext;
• Adversary can not modify C||T without getting noticed.
Good encryption scheme should decrypt forged ciphertext to⊥ (invalid).
We might also want to authenticate some data without encrypting it (associated data).
Encryption and authentication
If you also want to protect integrity of your data (i.e. authenticate the message), you use authenticated encryption:
X
EK
C T
authenticate encrypt and
N use and transmit
N Plaintext
Ciphertext
Tag
• Tag T is added to each ciphertext;
• Adversary can not modify C||T without getting noticed.
Good encryption scheme should decrypt forged ciphertext to⊥ (invalid).
We might also want to authenticate some data without encrypting it (associated data).
Authenticated encryption with associated data
M A
EK
C T
A authenticate
and bind authenticate encrypt and
N use and transmit
N
AD Message Nonce
Confidentiality:
• Ciphertexts indistinguishable from random strings;
Data integrity:
• Most of seemingly valid ciphertexts decrypt to⊥.
Desirable features
Non-exhaustive list of authenticated encryption features:
• Parallelizability to fully use multi-core CPU;
• Incremental tags to avoid recomputing the entire ciphertext;
• Security proof;
• Reasonable performance;
• Compact implementation.
What we also want
Extra features
M A
EK
C T
A authenticate
and bind authenticateencrypt and
N use and transmit
N
AD Message Nonce
Some extra features:
• Easy to understand and implement.
• Security level equal to the key length (does not hold for AES-CBC/GCM/OCB).
• More compact and verifiable security proofs.
• No extra operations like key derivation, field multiplications etc. (makes the design more complex).
Solution: design a permutation-based mode, not a blockcipher one.
Extra features
M A
EK
C T
A authenticate
and bind authenticateencrypt and
N use and transmit
N
AD Message Nonce
Some extra features:
• Easy to understand and implement.
• Security level equal to the key length (does not hold for AES-CBC/GCM/OCB).
• More compact and verifiable security proofs.
• No extra operations like key derivation, field multiplications etc. (makes the design more complex).
Solution: design a permutation-based mode, not a blockcipher one.
Permutation-based
Two ways of encryption
How to construct a variable-length cipher:
EK = K F K F K F
• Each component is keyed function FK;
• Security reduces to pseudorandomness of F (unpredictable under a random key).
Two ways of encryption
How to construct a variable-length cipher:
EK =
K
F K
F
K
F
• Each component is a fixed public function F ;
• Security proven if F is randomly chosen (while in fact it is not).
Permutation-based
Why permutation-based?
• A wide permutation can take key, nonce, counter, intermediate values, or a message block altogether as input.
• Plenty of designs: different widths and optimizations;
• The underlying permutation is easier to design and analyze (no need to care of key schedule, mask generation, nonce
formatting, etc.).
Cons:
• Weaker security model (random permutation);
• Lower throughput (larger calls/byte ratio).
Permutation-based
Why permutation-based?
• A wide permutation can take key, nonce, counter, intermediate values, or a message block altogether as input.
• Plenty of designs: different widths and optimizations;
• The underlying permutation is easier to design and analyze (no need to care of key schedule, mask generation, nonce
formatting, etc.).
Cons:
• Weaker security model (random permutation);
• Lower throughput (larger calls/byte ratio).
80- and 128-bit security
Beyond 64-bit security
Most popular modes suggest using AES (128-bit block) as the underlying blockcipher.
No security guaranteed as the number of invocations q approaches 2n/2= 264.
We want to offer a higher security margin.
Beyond 64-bit security
Most popular modes suggest using AES (128-bit block) as the underlying blockcipher.
No security guaranteed as the number of invocations q approaches 2n/2= 264.
We want to offer a higher security margin.
Beyond 64-bit security
Most popular modes suggest using AES (128-bit block) as the underlying blockcipher.
No security guaranteed as the number of invocations q approaches 2n/2= 264.
We want to offer a higher security margin.
PAEQ
PAEQ
Our new scheme PAEQ has Basic features:
• Fully parallelizable;
• Handles associated data;
• Variable key/nonce/tag length;
• Patent-free;
• Online encryption and authentication, no length awareness;
• Byte-oriented.
• Incremental tag (for max tag length).
Extra features:
• Security level up to 128 bits and higher (up to w/3) and equal to the key length;
• Compact security proof in the random permutation setting;
• Permutation inputs and outputs are linked by only XORs and counters, no extra operations;
• Only forward permutation calls.
PAEQ
T K
1N
P1
F
F
K F C1
optional truncation
K F A1 K
D5 if last block is padded
Encryption
Binding associated data
Authentication
K key, k bits N nonce, r bits 1 counter, s bits
Pt Ct
t0
Encryption of the last block of length t0
1 n− k − 16
k
r+ s≥ 2k 16
16 k
D0
k
Z D2
k 16 s r
D4 k
D6
Di= (k, i + r (mod 256)) Y1
X1 W1 V1
n− k − 16
Nonce-misuse option
Q1
F
Q2
0
Qm
F N 2k r
P A
96 96
10∗1 plaintext
length AD length
plaintext AD paddingsponge
Q: K
key key lengthnonce
length 16 16 K
2N
P2
F
F C2
k D0
D2
K N t
Pt
F
F Ct
k D0
D2
F A2 K 2 D4
F Ap K p D4
K N t
F
F k D1
D3
PAEQ: encryption
Encryption:
K N 1
M1
F
N 2
M2
F
N t
Mt
F
C1 C2 Ct
K K
r+ s k
D0
k
16 r s
D0 D0
N t
Mt
F
Ct K
t0
D1
or
• Counter mode with PRF;
• Confidentiality basically follows from the properties of CTR.
PAEQ: authentication
Authentication:
T
F F F
K F C1
optional truncation K
F A1 K
F F
D5if last block is padded
1
16 k
≥ 2k k
Z D2
D4
k A2
K 2
D4 D4 K Ap p
D6
FK(N, 1)
C2 D2
FK(N, 2)
Ct D2
FK(N, t) k
≥ 2k k
k
≥ 2k
• PMAC style with additional input from the encryption part;
• If the tag has full length, it can be updated with a few extra calls.
Security proof
PAEQ comes with several security proofs. Confidentiality and integrity are established up to 2k total queries toF:
AdvconfΠ (A) ≤ 3q 2k; AdvintΠ (A) ≤ q
2τ +4q 2k.
where k — key length,τ — tag length, q — total number of queries toF.
If the nonce is misused, integrity is still established up to 2k/2 queries.
Internal permutation
T
K N 1
M1
F
F
N 2
M2
F
F
N t
Mt
F
F
K F
C1 C2 Ct
optional truncation K
F A1 K
F F
D5 if last block is padded
Encryption
Binding associated data
Authentication
K key, k bits N nonce, r bits 1 counter, s bits
K K
1 r+ s
k
q+ s
r+ s≥ 2k q+ s
16
16
16k q+ s
r+ s D0
k
Z D2
k
16 r s
D0
D2
D0
D2
D4 k
A2
K 2
D4 D4 K Ap p
D6
Di= 256· k + r + i
We use our own permutation — AESQ.
AESQ
AESQ
New 512-bit permutation aimed at modern CPUs:
• 4 parallel AES states;
• 2 AES rounds alternated with column shuffle;
• Simple round constants;
• 20 rounds in total.
2 rounds of AESQ:
SB SR MC 1
SB SR MC 5
SB SR MC 2
SB SR MC 6
SB SR MC 3
SB SR MC 7
SB SR MC 4
SB SR MC 8
Properties of AESQ
Running two instances of AESQ in parallel yields highest throughput on Haswell processors.
SB SR MC 1
SB SR MC 5
SB SR MC 2
SB SR MC 6
SB SR MC 3
SB SR MC 7
SB SR MC 4
SB SR MC 8
Security of AESQ:
• Differential/linear properties disappear after 8 rounds;
• Rebound attacks stop at 12 rounds;
• Preimage/distinguishing attacks stop at 12-14 rounds.
Performance estimates
Benchmarks on the Haswell CPU:
Security level / Key length PAEQ (20 rounds, cycles per byte)
64 4.9
80 5.1
128 5.8
256 8.9