PAEQ: Parallelizable Permutation-based Authenticated Encryption

PAEQ: Parallelizable Permutation-based

Authenticated Encryption

Alex Biryukov and Dmitry Khovratovich

University of Luxembourg

12 October 2014

Authenticated encryption

Simple encryption

If you just want to protect confidentiality of your data, you use (simple) symmetric encryption:

X

EK

C encrypt

N use and transmit

N Nonce Plaintext

Ciphertext

• Agree on the key K;

• Choose nonce N uniquely for each piece of data;

• Encrypt and send.

Good encryption scheme makes ciphertexts look random (even if plaintexts repeat).

No integrity protection.

Simple encryption

If you just want to protect confidentiality of your data, you use (simple) symmetric encryption:

X

EK

C encrypt

N use and transmit

N Nonce Plaintext

Ciphertext

• Agree on the key K;

• Choose nonce N uniquely for each piece of data;

• Encrypt and send.

Good encryption scheme makes ciphertexts look random (even if plaintexts repeat).

No integrity protection.

Encryption and authentication

If you also want to protect integrity of your data (i.e. authenticate the message), you use authenticated encryption:

X

E^K

C T

authenticate encrypt and

N use and transmit

N Plaintext

Ciphertext

Tag

• Tag T is added to each ciphertext;

• Adversary can not modify C||T without getting noticed.

Good encryption scheme should decrypt forged ciphertext to⊥ (invalid).

We might also want to authenticate some data without encrypting it (associated data).

Encryption and authentication

If you also want to protect integrity of your data (i.e. authenticate the message), you use authenticated encryption:

X

E^K

C T

authenticate encrypt and

N use and transmit

N Plaintext

Ciphertext

Tag

• Tag T is added to each ciphertext;

• Adversary can not modify C||T without getting noticed.

Good encryption scheme should decrypt forged ciphertext to⊥ (invalid).

We might also want to authenticate some data without encrypting it (associated data).

Authenticated encryption with associated data

M A

E^K

C T

A authenticate

and bind authenticate encrypt and

N use and transmit

N

AD Message Nonce

Confidentiality:

• Ciphertexts indistinguishable from random strings;

Data integrity:

• Most of seemingly valid ciphertexts decrypt to⊥.

Desirable features

Non-exhaustive list of authenticated encryption features:

• Parallelizability to fully use multi-core CPU;

• Incremental tags to avoid recomputing the entire ciphertext;

• Security proof;

• Reasonable performance;

• Compact implementation.

What we also want

Extra features

M A

EK

C T

A authenticate

and bind authenticateencrypt and

N use and transmit

N

AD Message Nonce

Some extra features:

• Easy to understand and implement.

• Security level equal to the key length (does not hold for AES-CBC/GCM/OCB).

• More compact and verifiable security proofs.

• No extra operations like key derivation, field multiplications etc. (makes the design more complex).

Solution: design a permutation-based mode, not a blockcipher one.

Extra features

M A

EK

C T

A authenticate

and bind authenticateencrypt and

N use and transmit

N

AD Message Nonce

Some extra features:

• Easy to understand and implement.

• Security level equal to the key length (does not hold for AES-CBC/GCM/OCB).

• More compact and verifiable security proofs.

• No extra operations like key derivation, field multiplications etc. (makes the design more complex).

Solution: design a permutation-based mode, not a blockcipher one.

Permutation-based

Two ways of encryption

How to construct a variable-length cipher:

EK = ^{K F K F K F}

• Each component is keyed function F_K;

• Security reduces to pseudorandomness of F (unpredictable under a random key).

Two ways of encryption

How to construct a variable-length cipher:

E^K =

K

F K

F

K

F

• Each component is a fixed public function F ;

• Security proven if F is randomly chosen (while in fact it is not).

Permutation-based

Why permutation-based?

• A wide permutation can take key, nonce, counter, intermediate values, or a message block altogether as input.

• Plenty of designs: different widths and optimizations;

• The underlying permutation is easier to design and analyze (no need to care of key schedule, mask generation, nonce

formatting, etc.).

Cons:

• Weaker security model (random permutation);

• Lower throughput (larger calls/byte ratio).

Permutation-based

Why permutation-based?

• A wide permutation can take key, nonce, counter, intermediate values, or a message block altogether as input.

• Plenty of designs: different widths and optimizations;

• The underlying permutation is easier to design and analyze (no need to care of key schedule, mask generation, nonce

formatting, etc.).

Cons:

• Weaker security model (random permutation);

• Lower throughput (larger calls/byte ratio).

80- and 128-bit security

Beyond 64-bit security

Most popular modes suggest using AES (128-bit block) as the underlying blockcipher.

No security guaranteed as the number of invocations q approaches 2^n/2= 2⁶⁴.

We want to offer a higher security margin.

Beyond 64-bit security

Most popular modes suggest using AES (128-bit block) as the underlying blockcipher.

No security guaranteed as the number of invocations q approaches 2^n/2= 2⁶⁴.

We want to offer a higher security margin.

Beyond 64-bit security

Most popular modes suggest using AES (128-bit block) as the underlying blockcipher.

No security guaranteed as the number of invocations q approaches 2^n/2= 2⁶⁴.

We want to offer a higher security margin.

PAEQ

PAEQ

Our new scheme PAEQ has Basic features:

• Fully parallelizable;

• Handles associated data;

• Variable key/nonce/tag length;

• Patent-free;

• Online encryption and authentication, no length awareness;

• Byte-oriented.

• Incremental tag (for max tag length).

Extra features:

• Security level up to 128 bits and higher (up to w/3) and equal to the key length;

• Compact security proof in the random permutation setting;

• Permutation inputs and outputs are linked by only XORs and counters, no extra operations;

• Only forward permutation calls.

PAEQ

T K

1N

P1

F

F

K F C1

optional truncation

K F A1 K

D5 if last block is padded

Encryption

Binding associated data

Authentication

K key, k bits N nonce, r bits 1 counter, s bits

Pt Ct

t⁰

Encryption of the last block of length t⁰

1 n− k − 16

k

r+ s≥ 2k 16

16 k

D0

k

Z D2

k 16 s r

D4 k

D6

Di= (k, i + r (mod 256)) Y1

X1 W1 V1

n− k − 16

Nonce-misuse option

Q1

F

Q2

0

Qm

F N 2k r

P A

96 96

10^∗1 plaintext

length AD length

plaintext AD paddingsponge

Q: K

key key lengthnonce

length 16 16 K

2N

P2

F

F C2

k D0

D2

K N t

Pt

F

F Ct

k D0

D2

F A2 K 2 D4

F Ap K p D4

K N t

F

F k D1

D3

PAEQ: encryption

Encryption:

K N 1

M1

F

N 2

M2

F

N t

Mt

F

C1 C2 Ct

K K

r+ s k

D0

k

16 r s

D0 D0

N t

Mt

F

Ct K

t⁰

D1

or

• Counter mode with PRF;

• Confidentiality basically follows from the properties of CTR.

PAEQ: authentication

Authentication:

T

F F F

K F C1

optional truncation K

F A1 K

F F

D5if last block is padded

1

16 k

≥ 2k k

Z D2

D4

k A2

K 2

D4 ^D4 K Ap p

D6

FK(N, 1)

C2 D2

FK(N, 2)

Ct D2

FK(N, t) k

≥ 2k k

k

≥ 2k

• PMAC style with additional input from the encryption part;

• If the tag has full length, it can be updated with a few extra calls.

Security proof

PAEQ comes with several security proofs. Confidentiality and integrity are established up to 2^k total queries toF:

Adv^conf_Π (A) ≤ 3q 2^k; Adv^int_Π (A) ≤ q

2^τ +4q 2^k.

where k — key length,τ — tag length, q — total number of queries toF.

If the nonce is misused, integrity is still established up to 2^k/2 queries.

Internal permutation

T

K N 1

M1

F

F

N 2

M2

F

F

N t

Mt

F

F

K F

C1 C2 Ct

optional truncation K

F A1 K

F F

D5 if last block is padded

Encryption

Binding associated data

Authentication

K key, k bits N nonce, r bits 1 counter, s bits

K K

1 r+ s

k

q+ s

r+ s≥ 2k q+ s

16

16

16k q+ s

r+ s D0

k

Z D2

k

16 r s

D0

D2

D0

D2

D4 k

A2

K 2

D4 D4 K Ap p

D6

Di= 256· k + r + i

We use our own permutation — AESQ.

AESQ

AESQ

New 512-bit permutation aimed at modern CPUs:

• 4 parallel AES states;

• 2 AES rounds alternated with column shuffle;

• Simple round constants;

• 20 rounds in total.

2 rounds of AESQ:

SB SR MC 1

SB SR MC 5

SB SR MC 2

SB SR MC 6

SB SR MC 3

SB SR MC 7

SB SR MC 4

SB SR MC 8

Properties of AESQ

Running two instances of AESQ in parallel yields highest throughput on Haswell processors.

SB SR MC 1

SB SR MC 5

SB SR MC 2

SB SR MC 6

SB SR MC 3

SB SR MC 7

SB SR MC 4

SB SR MC 8

Security of AESQ:

• Differential/linear properties disappear after 8 rounds;

• Rebound attacks stop at 12 rounds;

• Preimage/distinguishing attacks stop at 12-14 rounds.

Performance estimates

Benchmarks on the Haswell CPU:

Security level / Key length PAEQ (20 rounds, cycles per byte)

64 4.9

80 5.1

128 5.8

256 8.9

Questions?