Abstract
In this paper we introduce a classification of existing re-keying-based approaches to increase the security of block cipher operation modes. We introduce the concepts of external and internal re-keying putting the focus on the second one. Whereas the external re-keying approach is widely used and provides the mechanism of key usage control on a message stream processing level, the internal re-keying approach is the first known mechanism providing such a control on a single message processing level. These approaches can be applied completely independently. The internal re-keying approach was already applied to the \(\mathrm {\text {CTR}}\) encryption mode and yielded the \(\text {CTR-ACPKM}\) mode. The mode is a part of RFC 8645 “Re-keying Mechanisms for Symmetric Keys”, which represents the consensus of the Crypto Forum Research Group (CFRG) of the Internet Research Task Force (IRTF).
In the current paper we apply the internal re-keying approach to the well-known \(\mathrm {\text {GCM}}\) authenticated encryption mode. The main results of this paper are a new internally re-keyed \(\text {GCM-ACPKM}\) mode and its security bounds. We estimate the security of the \(\text {GCM-ACPKM}\) mode respecting standard security notions. We compare both security and performance of the \(\text {GCM-ACPKM}\) and \(\mathrm {\text {GCM}}\) modes. The results show that changing \(\mathrm {\text {GCM}}\) mode by integrating the \(\mathrm {\text {ACPKM}}\) internal re-keying procedure increases security, significantly extending the lifetime of a key with a negligible loss in performance. Also we show how the re-keying approaches could increase the security of TLS 1.3 and CMS cipher suites.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abdalla, M., Bellare, M.: Increasing the lifetime of a key: a comparative analysis of the security of re-keying techniques. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 546–559. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_42
Ahmetzyanova, L., Alekseev, E., Oshkin, I., Smyshlyaev, S., Sonina, L.: On the properties of the CTR encryption mode of the Magma and Kuznyechik block ciphers with re-keying method based on CryptoPro Key Meshing. IACR Cryptology ePrint Archive, 2016:628 (2016)
Ahmetzyanova, L., Alekseev, E., Smyshlyaev, S.: Security bound for CTR-ACPKM internally re-keyed encryption mode. IACR Cryptology ePrint Archive, 2018:950 (2018)
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 1997), USA, pp. 394–403. IEEE Press (1997)
Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for CBC MACs. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 527–545. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_32
Bellare, M., Rogaway, P.: Introduction to modern cryptography (2005). http://cseweb.ucsd.edu/~mihir/cse207/classnotes.html
Bellare, M.: Practice-oriented provable-security. In: Damgård, I.B. (ed.) EEF School 1998. LNCS, vol. 1561, pp. 1–15. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48969-X_1
Bellare, M., Yee, B.: Forward-security in private-key cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_1
Bhargavan, K., Leurent, G.: On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN. IACR Cryptology ePrint Archive, 2016:798 (2016)
Biham, E.: How to forge DES-encrypted messages in \(2^{28}\) steps. Technion Computer Science Department Technical Report CS0884 (1996)
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 537, 2–21 (1990)
Standaert, F.X.: Introduction to side-channel attacks. In: Verbauwhede, I. (ed.) Secure Integrated Circuits and Systems. Integrated Circuits and Systems. Springer, Boston (2010). https://doi.org/10.1007/978-0-387-71829-3_2
Chang, D., Nandi, M.: A Short Proof of the PRP/PRF Switching Lemma. IACR Cryptology ePrint Archive, 2008:078 (2008)
Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39887-5_11
Iwata, T., Kurosawa, K.: Stronger security bounds for OMAC, TMAC, and XCBC. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 402–415. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-24582-7_30
Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_3
Luykx, A., Preneel, B.: Optimal forgeries against polynomial-based MACs and GCM. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 445–467. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_17
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33
McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30556-9_27
Mitchell, C.J.: On the security of XCBC, TMAC and OMAC. Technical report RHUL-MA-2003-4, 19 August 2003. http://www.rhul.ac.uk/mathematics/techreports
Chen, L.: NIST Special Publication 800–108. Recommendation for Key Derivation Using Pseudorandom Functions (Revised) (2009)
Nandi, M.: Bernstein bound on WCS is tight. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 213–238. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_8
Popov, V., Kurepkin, I., Leontiev, S.: Additional cryptographic algorithms for use with GOST 28147–89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 algorithms. RFC 4357 (2007)
Rescorla, E., RTFM, Inc.: The Transport Layer Security (TLS) Protocol Version 1.3, RFC 8446, August 2018
Housley, R.: Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS), RFC 5084, November 2007
Ramsay, C., Lohuis, J.: TEMPEST attacks against AES. Covertly stealing keys for €200 (2017). https://www.fox-it.com
Rescorla, E., Modadugu, N.: Datagram Transport Layer Security Version 1.2, RFC 6347, January 2012.https://doi.org/10.17487/RFC6347
Kent, S.: IP Encapsulating Security Payload (ESP), RFC 4303, December 2005. https://doi.org/10.17487/RFC4303
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2, RFC 5246, August 2008. https://doi.org/10.17487/RFC5246
Ylonen, T., Lonvick, C. (ed.): The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, January 2006. https://doi.org/10.17487/RFC4253
Smyshlyaev, S.: Re-keying Mechanisms for Symmetric Keys, RFC8645, August 2019
Smyshlyaev, S.: GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version 1.2, draft-smyshlyaev-tls12-gost-suites-04, 29 December 2018
Acknowledgement
The authors are very grateful to Nikolay P. Varnovsky, Ekaterina S. Griboedova, and Lolita A. Sonina for their valuable comments and suggestions concerning the text of the article.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Security Notions
Define the \(\text {PRP-CPA}\) notion. For a cipher E with parameters n and k define
where the probabilities are defined over the randomness of \(\mathcal {A}\), and the choices of K and \(\pi \). Also further we will use the \(\text {PRF}\) notion. The \(\text {PRF}\) notion is defined in the same way as \(\text {PRP-CPA}\) except for the random permutation \(\pi \), which is replaced by the random function \(\rho \in _\mathcal {U}Func(\{0,1\}^n)\).
Privacy. We consider an adversary \(\mathcal {A}\) that has access to an encryption oracle \(\mathcal {E}\) or a random-bits oracle \(\$\). Before starting the work the encryption oracle chooses a key \(K \in _\mathcal {U}\{0,1\}^k\). The adversary makes queries (N, A, M), where N is a nonce, A is an associated data and M is a plaintext. The random-bits oracle in response returns (C, T), where \(C\Vert T \in _\mathcal {U}\{0,1\}^{|M| +n}\), n is a tag size. The encryption oracle returns (C, T), \(C\in \{0,1\}^{|M|}\), \(T \in \{0,1\}^n\),—the result of AEAD encryption of (N, A, M) under the key K. For the AEAD mode define
where the probabilities are defined over the randomness of \(\mathcal {A}\), the choices of K and randomness of the random-bits oracle, respectively. We consider a set of nonce-respecting adversaries, which choose N unique for each query.
Authenticity. We consider an adversary \(\mathcal {A}\) that has access to an encryption oracle \(\mathcal {E}\) and a decryption oracle \(\mathcal {D}\). Before starting the work both oracles choose a common key \(K \in _\mathcal {U}\{0,1\}^k\). The adversary interacts with the encryption oracle in the same way as described in the Privacy notion. Additionally the adversary can make queries (N, A, C, T) to the decryption oracle, where N is a nonce, A is an associated data, C is a ciphertext and T is an authentication tag. It returns the result of AEAD\(_{E}\) decryption of (N, A, C, T) under the key K: \(M \in \{0,1\}^{|C|}\) or \(\bot \).
The adversary forges if the decryption oracle returns a bit string (other than \(\bot \)) for a query (N, A, C, T), but (C, T) was not previously returned to \(\mathcal {A}\) from the encryption oracle for a query (N, A, M) with some M. As in the \(\text {Privacy}\) notion, we assume that \(\mathcal {A}\) is nonce-respecting to encryption oracle. We remark that nonces used for the encryption queries can be used for decryption queries and vice-versa, and that the same nonce can be repeated for decryption queries. For the AEAD mode define
where the probability is defined over the randomness of \(\mathcal {A}\) and the choice of K.
B Proof of Theorem 1
Proof
Define the hybrid experiments \( Hybrid _{j}(\mathcal {A})\), \(j=0,1,\ldots ,h\). In the experiment \( Hybrid _{j}(\mathcal {A})\) the oracle in the \(\text {Privacy}\) notion is replaced by the oracle, which operates in the following way:
-
The oracle chooses key \(K^{j+1} \in _\mathcal {U}\{0,1\}^k\);
-
In response to a query (N, A, M) the oracle returns a pair (C, T) which is calculated as follows.
A ciphertext \(C = M \oplus \mathrm {msb}_{|M|}(G'\Vert G^{j+1}\Vert \ldots \Vert G^{h}),\) where \(G'\in _\mathcal {U}\{0,1\}^{n\ell j}\) and \(G^{i} = E_{K^i}(I_{(i-1)l + 1})\Vert \ldots \Vert E_{K^i}(I_{i\ell })\), \(i = (j+1),\ldots ,h,\) is the concatenation of the appropriate \(\ell \) encrypted counter blocks under the \(K^i\) section key. Note that the \((j+1)\)-th section is processed under the truly random \(K^{j+1}\) key and each next key is produced from previous one according to \(\mathrm {\text {ACPKM}}\).
An authentication tag \(T = Z \oplus \mathrm {GHASH}_H(A,C),\) where \(Z = E_{K^1}(I_0)\), \(H = E_{K^1}(0^n)\) if \(j=0\), and \(Z, H \in _\mathcal {U}\{0,1\}^n\), otherwise.
The result of any experiment described above is what the adversary \(\mathcal {A}\) returns as a result. Further we denote by \( Hybrid _{j}(\mathcal {A})\Rightarrow 1\) an event, which occurs if the result of the experiment \( Hybrid _{j}(\mathcal {A})\) is 1.
Note that for the adversary \(\mathcal {A}\) the oracle in the experiment \( Hybrid _{h}(\mathcal {A})\) totally coincides with the oracle \(\$\), and the oracle in the experiment \( Hybrid _{0}(\mathcal {A})\) coincides with the oracle \(\mathcal {E}\), i.e. the following equalities hold:
Construct a set of adversaries \(\mathcal {A}'_j\), \(j=1,\ldots ,h\), for the block cipher E in the \(\text {PRF}\) model, which uses \(\mathcal {A}\) as a black box.
After receiving a query (N, A, M) from \(\mathcal {A}\) the adversary \(\mathcal {A}'_j\) processes this query as in the \( Hybrid _{j}(\mathcal {A})\) experiment but the encrypted blocks for masking the j-th section and blocks of the \((j+1)\)-th section key are obtained by making queries to the oracles \(\rho \) or \(E_K\) provided by the \(\text {PRF}\) experiment. The adversary \(\mathcal {A}'_j\) returns 1, if the adversary \(\mathcal {A}\) returns 1, and returns 0, otherwise. Note that
-
\(\mathcal {A}'_1\) makes at most \(\sigma _1+ q + s + 1\) queries (to obtain hash key H, s blocks of the second section key, q masking values \(Z_i\) and \(\sigma _1\) blocks needed to process the fist sections of q messages);
-
\(\mathcal {A}'_j\), \(j=2,\ldots ,h-1\), makes at most \(\sigma _j+s\) (to obtain s blocks of the next section key and \(\sigma _j\) blocks needed to process the fist sections of q messages) queries;
-
\(\mathcal {A}'_{h}\) makes at most \(\sigma _{h}\) queries (\(\sigma _h\) blocks needed to process the fist sections of q messages).
Note that \({\mathrm {Pr}}_{}\left[ {K \in _\mathcal {U}\{0,1\}^k: (\mathcal {A}'_j)^{E_K} \Rightarrow 1}\right] = {\mathrm {Pr}}_{}\left[ { Hybrid _{j-1}(\mathcal {A})\Rightarrow 1}\right] \) and \({\mathrm {Pr}}_{}\left[ {\rho \in _\mathcal {U}Func(\{0,1\}^n):(\mathcal {A}'_j)^{\rho } \Rightarrow 1}\right] = {\mathrm {Pr}}_{}\left[ { Hybrid _{j}(\mathcal {A})\Rightarrow 1}\right] \). The last equality is proceeded from that the input blocks for producing the \(K^{j+1}\) section key and the input blocks for masking the j-th section and producing the Z and H values are different for the random function. Therefore, the \(K^{j+1}\) variable distribution is statistically indistinguishable from the uniform one. Then for the advantages of the adversaries \(\mathcal {A}'_j\)
From the PRP/PRF switching lemma [13] for any block cipher E and any adversary \(\mathcal {A}'\) making at most q queries we have
Thus,
where \(\mathcal {A}'\) is an adversary which makes at most \(\sigma _1 + q + s + 1\) queries. The last relation is due to \(\sigma _1 \geqslant \ldots \geqslant \sigma _h\) and \( \mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}''}\right) \leqslant \mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}'}\right) \) for such adversaries \(\mathcal {A}'\) and \(\mathcal {A}''\) with the same computational resources that the queries number made by \(\mathcal {A}''\) is less than the queries number made by \(\mathcal {A}'\). \(\square \)
C Proof of Theorem 2
Proof
Without loss of generality, we assume a key size k be multiple of a block size n, and \(s = k/n\).
We firstly consider the modification of the target mode – the abstract \(\text {GCM-ACPKM}^*\) mode – that works as follows. The only modification is that instead of generating the initial key \(K=K^1\) the permutation \(\pi \) is chosen uniformly at random from \(Perm(\{0,1\}^n)\). This permutation replaces the \(E_{K^1}\) function, i.e. it is used to produce the following values:
-
the hash key \(H = \pi (0^n)\),
-
blocks of the second section key \(\pi (D_1),\ \ldots ,\ \pi (D_s)\), \(K^2=\pi (D_1)\Vert \ldots \Vert \pi (D_s)\),
-
q masking values \(Z_i=\pi (N_i\Vert 0^{n-c-1}1)\), \(1 \leqslant i \leqslant q\),
-
blocks needed to process the fist sections of q messages, i.e. \(\Gamma ^j_i=\pi (N_i\Vert \mathrm {str}_{n-c}(j+1))\), \(1 \leqslant j \leqslant \ell _i \leqslant \ell \), \(1 \leqslant i \leqslant q\) (note that \(\ell _1 + \ell _2 + \cdots + \ell _q = \sigma _1\)).
The other section is processed using \(E_{K^i}\), where \(K^2=\pi (D_1)\Vert \ldots \Vert \pi (D_s)\) and \(K^i=\mathrm {\text {ACPKM}}(K^{i-1})\), \(i \geqslant 3\).
By the obvious reduction we obtain the following inequality
where \(\mathcal {A}'\) makes at most \(\sigma _1 + q + s + 1\) queries.
Now consider the following modification of the Authenticity mode (\(\text {Auth}^*\)): the adversary at the beginning of the game additionally takes as input blocks \(\pi (D_1),\ \ldots ,\ \pi (D_s)\). Note that the advantage of the adversary in this game is not less then the same advantage in the initial game since in the \(\text {Auth}^*\) game the adversary is just given more information. Thus,
The goal of this modification is to show that giving to the adversary all information about all section keys except for the first section key cannot break the authenticity. Indeed, the ciphertext calculation process influences the authenticity only by giving the additional inputs-outputs of \(\pi \) to the adversary. Key updating technique allows to limit this information only to the inputs-outputs which are used for the first section processing and producing blocks of the second section key.
For the proposed \(\text {GCM-ACPKM}^*\) mode the proof of security in the \(\text {Auth}^*\) model is the same as for Theorem 5 [22]. Below we present the light overview of this proof (for details see the original paper).
Without loss of generality we assume that \(\mathcal {A}\) is deterministic and the nonce \(N'\) in the forging attempt \((N',A',C',T')\) is one of the nonce \(N_i\) in the encryption queries \((N_i,A_i,M_i)\) responsed with \((C_i,T_i)\) (since otherwise the bound can be shown to be smaller). Thus, the forgery probability is equal to the probability of the event that \(\mathrm {GHASH}_H(A,C) \oplus \mathrm {GHASH}_H(A',C') = T \oplus T'\).
Note that fixing the transcript of interaction between the challenger and the adversary we fix all variables in this equation except for H. Thus, for fixed transcript we can estimate this probability by \(\frac{m_A+1}{2^{n}}\), since the equation has only \(m_A\) solutions in the Galois field (equal to polynomial degree). The next step is to estimate the conditional probability of the event that such a fixed transcript is realized (where the appropriate \(H = \pi (0^n)\) is conditioned). It easy to see that the fixed transcript is fully determined by the values \(T_i,\Gamma ^j_i,K^2\), which in it turns are determined by additionally fixing \(q+\sigma _1 + s\) input-output of \(\pi \). Therefore this conditioned probability should be \(\frac{1}{(2^n-1)_{q+\sigma _1+s}}\), where \((a)_b=a\cdot (a-1)\cdots (a-b+1)\). The total probability over all possible transcripts defined by \(T_i,\Gamma ^j_i,K^2\) is estimated exactly as in [22] using Bernstein’s upper bound of the interpolation probability of a random permutation. \(\square \)
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Akhmetzyanova, L., Alekseev, E., Smyshlyaev, S., Oshkin, I. (2020). On Internal Re-keying. In: van der Merwe, T., Mitchell, C., Mehrnezhad, M. (eds) Security Standardisation Research. SSR 2020. Lecture Notes in Computer Science(), vol 12529. Springer, Cham. https://doi.org/10.1007/978-3-030-64357-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-64357-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64356-0
Online ISBN: 978-3-030-64357-7
eBook Packages: Computer ScienceComputer Science (R0)