On Internal Re-keying

Abstract

In this paper we introduce a classification of existing re-keying-based approaches to increase the security of block cipher operation modes. We introduce the concepts of external and internal re-keying putting the focus on the second one. Whereas the external re-keying approach is widely used and provides the mechanism of key usage control on a message stream processing level, the internal re-keying approach is the first known mechanism providing such a control on a single message processing level. These approaches can be applied completely independently. The internal re-keying approach was already applied to the \(\mathrm {\text {CTR}}\) encryption mode and yielded the \(\text {CTR-ACPKM}\) mode. The mode is a part of RFC 8645 “Re-keying Mechanisms for Symmetric Keys”, which represents the consensus of the Crypto Forum Research Group (CFRG) of the Internet Research Task Force (IRTF).

In the current paper we apply the internal re-keying approach to the well-known \(\mathrm {\text {GCM}}\) authenticated encryption mode. The main results of this paper are a new internally re-keyed \(\text {GCM-ACPKM}\) mode and its security bounds. We estimate the security of the \(\text {GCM-ACPKM}\) mode respecting standard security notions. We compare both security and performance of the \(\text {GCM-ACPKM}\) and \(\mathrm {\text {GCM}}\) modes. The results show that changing \(\mathrm {\text {GCM}}\) mode by integrating the \(\mathrm {\text {ACPKM}}\) internal re-keying procedure increases security, significantly extending the lifetime of a key with a negligible loss in performance. Also we show how the re-keying approaches could increase the security of TLS 1.3 and CMS cipher suites.

Appendices

A Security Notions

Define the \(\text {PRP-CPA}\) notion. For a cipher E with parameters n and k define

$$\begin{aligned}&\mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}}\right) = {\mathrm {Pr}}_{}\left[ {K \in _\mathcal {U}\{0,1\}^k: \mathcal {A}^{E_K} \Rightarrow 1}\right] - \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad - {\mathrm {Pr}}_{}\left[ {\pi \in _\mathcal {U}Perm(\{0,1\}^n): \mathcal {A}^{\pi }\Rightarrow 1}\right] , \end{aligned}$$

where the probabilities are defined over the randomness of \(\mathcal {A}\), and the choices of K and \(\pi \). Also further we will use the \(\text {PRF}\) notion. The \(\text {PRF}\) notion is defined in the same way as \(\text {PRP-CPA}\) except for the random permutation \(\pi \), which is replaced by the random function \(\rho \in _\mathcal {U}Func(\{0,1\}^n)\).

Privacy. We consider an adversary \(\mathcal {A}\) that has access to an encryption oracle \(\mathcal {E}\) or a random-bits oracle \(\$\). Before starting the work the encryption oracle chooses a key \(K \in _\mathcal {U}\{0,1\}^k\). The adversary makes queries (N, A, M), where N is a nonce, A is an associated data and M is a plaintext. The random-bits oracle in response returns (C, T), where \(C\Vert T \in _\mathcal {U}\{0,1\}^{|M| +n}\), n is a tag size. The encryption oracle returns (C, T), \(C\in \{0,1\}^{|M|}\), \(T \in \{0,1\}^n\),—the result of AEAD encryption of (N, A, M) under the key K. For the AEAD mode define

$$ \mathbf{Adv }_{\text {AEAD}}^{\text {Priv}}\left( {\mathcal {A}}\right) = {\mathrm {Pr}}_{}\left[ {K \in _\mathcal {U}\{0,1\}^k: \mathcal {A}^{\mathcal {E}} \Rightarrow 1}\right] - {\mathrm {Pr}}_{}\left[ {\mathcal {A}^{\$}\Rightarrow 1}\right] , $$

where the probabilities are defined over the randomness of \(\mathcal {A}\), the choices of K and randomness of the random-bits oracle, respectively. We consider a set of nonce-respecting adversaries, which choose N unique for each query.

Authenticity. We consider an adversary \(\mathcal {A}\) that has access to an encryption oracle \(\mathcal {E}\) and a decryption oracle \(\mathcal {D}\). Before starting the work both oracles choose a common key \(K \in _\mathcal {U}\{0,1\}^k\). The adversary interacts with the encryption oracle in the same way as described in the Privacy notion. Additionally the adversary can make queries (N, A, C, T) to the decryption oracle, where N is a nonce, A is an associated data, C is a ciphertext and T is an authentication tag. It returns the result of AEAD\(_{E}\) decryption of (N, A, C, T) under the key K: \(M \in \{0,1\}^{|C|}\) or \(\bot \).

The adversary forges if the decryption oracle returns a bit string (other than \(\bot \)) for a query (N, A, C, T), but (C, T) was not previously returned to \(\mathcal {A}\) from the encryption oracle for a query (N, A, M) with some M. As in the \(\text {Privacy}\) notion, we assume that \(\mathcal {A}\) is nonce-respecting to encryption oracle. We remark that nonces used for the encryption queries can be used for decryption queries and vice-versa, and that the same nonce can be repeated for decryption queries. For the AEAD mode define

$$ \mathbf{Adv }_{\text {AEAD}}^{\text {Auth}}\left( {\mathcal {A}}\right) = {\mathrm {Pr}}_{}\left[ {K \in _\mathcal {U}\{0,1\}^k: \mathcal {A}^{\mathcal {E}, \mathcal {D}} \text { forges}}\right] , $$

where the probability is defined over the randomness of \(\mathcal {A}\) and the choice of K.

B Proof of Theorem 1

Proof

Define the hybrid experiments \( Hybrid _{j}(\mathcal {A})\), \(j=0,1,\ldots ,h\). In the experiment \( Hybrid _{j}(\mathcal {A})\) the oracle in the \(\text {Privacy}\) notion is replaced by the oracle, which operates in the following way:

• The oracle chooses key \(K^{j+1} \in _\mathcal {U}\{0,1\}^k\);

• In response to a query (N, A, M) the oracle returns a pair (C, T) which is calculated as follows.

  A ciphertext \(C = M \oplus \mathrm {msb}_{|M|}(G'\Vert G^{j+1}\Vert \ldots \Vert G^{h}),\) where \(G'\in _\mathcal {U}\{0,1\}^{n\ell j}\) and \(G^{i} = E_{K^i}(I_{(i-1)l + 1})\Vert \ldots \Vert E_{K^i}(I_{i\ell })\), \(i = (j+1),\ldots ,h,\) is the concatenation of the appropriate \(\ell \) encrypted counter blocks under the \(K^i\) section key. Note that the \((j+1)\)-th section is processed under the truly random \(K^{j+1}\) key and each next key is produced from previous one according to \(\mathrm {\text {ACPKM}}\).

  An authentication tag \(T = Z \oplus \mathrm {GHASH}_H(A,C),\) where \(Z = E_{K^1}(I_0)\), \(H = E_{K^1}(0^n)\) if \(j=0\), and \(Z, H \in _\mathcal {U}\{0,1\}^n\), otherwise.

The result of any experiment described above is what the adversary \(\mathcal {A}\) returns as a result. Further we denote by \( Hybrid _{j}(\mathcal {A})\Rightarrow 1\) an event, which occurs if the result of the experiment \( Hybrid _{j}(\mathcal {A})\) is 1.

Note that for the adversary \(\mathcal {A}\) the oracle in the experiment \( Hybrid _{h}(\mathcal {A})\) totally coincides with the oracle \(\$\), and the oracle in the experiment \( Hybrid _{0}(\mathcal {A})\) coincides with the oracle \(\mathcal {E}\), i.e. the following equalities hold:

$$\begin{aligned}&\qquad \quad \, {\mathrm {Pr}}_{}\left[ { Hybrid _{h}(\mathcal {A})\Rightarrow 1}\right] = {\mathrm {Pr}}_{}\left[ {\mathcal {A}^{\$}\Rightarrow 1}\right] , \\&{\mathrm {Pr}}_{}\left[ { Hybrid _0(\mathcal {A}) \Rightarrow 1}\right] = {\mathrm {Pr}}_{}\left[ {K \in _\mathcal {U}\{0,1\}^k:\mathcal {A}^{\mathcal {E}}\Rightarrow 1}\right] . \end{aligned}$$

Construct a set of adversaries \(\mathcal {A}'_j\), \(j=1,\ldots ,h\), for the block cipher E in the \(\text {PRF}\) model, which uses \(\mathcal {A}\) as a black box.

After receiving a query (N, A, M) from \(\mathcal {A}\) the adversary \(\mathcal {A}'_j\) processes this query as in the \( Hybrid _{j}(\mathcal {A})\) experiment but the encrypted blocks for masking the j-th section and blocks of the \((j+1)\)-th section key are obtained by making queries to the oracles \(\rho \) or \(E_K\) provided by the \(\text {PRF}\) experiment. The adversary \(\mathcal {A}'_j\) returns 1, if the adversary \(\mathcal {A}\) returns 1, and returns 0, otherwise. Note that

• \(\mathcal {A}'_1\) makes at most \(\sigma _1+ q + s + 1\) queries (to obtain hash key H, s blocks of the second section key, q masking values \(Z_i\) and \(\sigma _1\) blocks needed to process the fist sections of q messages);

• \(\mathcal {A}'_j\), \(j=2,\ldots ,h-1\), makes at most \(\sigma _j+s\) (to obtain s blocks of the next section key and \(\sigma _j\) blocks needed to process the fist sections of q messages) queries;

• \(\mathcal {A}'_{h}\) makes at most \(\sigma _{h}\) queries (\(\sigma _h\) blocks needed to process the fist sections of q messages).

Note that \({\mathrm {Pr}}_{}\left[ {K \in _\mathcal {U}\{0,1\}^k: (\mathcal {A}'_j)^{E_K} \Rightarrow 1}\right] = {\mathrm {Pr}}_{}\left[ { Hybrid _{j-1}(\mathcal {A})\Rightarrow 1}\right] \) and \({\mathrm {Pr}}_{}\left[ {\rho \in _\mathcal {U}Func(\{0,1\}^n):(\mathcal {A}'_j)^{\rho } \Rightarrow 1}\right] = {\mathrm {Pr}}_{}\left[ { Hybrid _{j}(\mathcal {A})\Rightarrow 1}\right] \). The last equality is proceeded from that the input blocks for producing the \(K^{j+1}\) section key and the input blocks for masking the j-th section and producing the Z and H values are different for the random function. Therefore, the \(K^{j+1}\) variable distribution is statistically indistinguishable from the uniform one. Then for the advantages of the adversaries \(\mathcal {A}'_j\)

$$\begin{aligned}&\sum _{j=1}^{h}\mathbf{Adv }_{E}^{\text {PRF}}\left( {\mathcal {A}'_j}\right) = \sum _{j=1}^{h} \Big ( {\mathrm {Pr}}_{}\left[ {K \in _\mathcal {U}\{0,1\}^k: (\mathcal {A}'_j)^{E_K} \Rightarrow 1}\right] \\&\qquad \qquad \qquad \quad - {\mathrm {Pr}}_{}\left[ {\rho \in _\mathcal {U}Func(\{0,1\}^n):(\mathcal {A}'_j)^{\rho } \Rightarrow 1}\right] \Big ) \\&\qquad \quad = \sum _{j=1}^{h} {\mathrm {Pr}}_{}\left[ { Hybrid _{j-1}(\mathcal {A})\Rightarrow 1}\right] - \sum _{j=1}^{h} {\mathrm {Pr}}_{}\left[ { Hybrid _{j}(\mathcal {A})\Rightarrow 1}\right] \\&= {\mathrm {Pr}}_{}\left[ { Hybrid _{0}(\mathcal {A})\Rightarrow 1}\right] - {\mathrm {Pr}}_{}\left[ { Hybrid _{h}(\mathcal {A})\Rightarrow 1}\right] = \mathbf{Adv }_{\text {GCM-ACPKM}_{E,c,\ell }}^{\text {Priv}}\left( {\mathcal {A}}\right) . \end{aligned}$$

From the PRP/PRF switching lemma  [13] for any block cipher E and any adversary \(\mathcal {A}'\) making at most q queries we have

$$ \mathbf{Adv }_{E}^{\text {PRF}}\left( {\mathcal {A}'}\right) \leqslant \mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}'}\right) + \frac{q(q-1)}{2^{n+1}} \leqslant \mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}'}\right) + \frac{q^2}{2^{n+1}}. $$

Thus,

$$\begin{aligned}&\mathbf{Adv }_{\text {GCM-ACPKM}_{E,c,\ell }}^{\text {Priv}}\left( {\mathcal {A}}\right) = \sum _{j=1}^{h}\mathbf{Adv }_{E}^{\text {PRF}}\left( {\mathcal {A}'_j}\right) \\&\qquad \qquad \qquad \leqslant \left( \mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}'_1}\right) + \frac{(\sigma _1+q+s+1)^2}{2^{n+1}}\right) \\&+ \sum _{j=2}^{h - 1} \left( \mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}'_j}\right) + \frac{(\sigma _j+s)^2}{2^{n+1}}\right) + \left( \mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}'_h}\right) + \frac{\sigma _h^2}{2^{n+1}} \right) \\&\qquad \qquad \qquad \leqslant h \cdot \mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}'}\right) + \frac{(\sigma _1+q+s+1)^2}{2^{n+1}} \\&+ \frac{(\sigma _2+s)^2 + \ldots + (\sigma _{h-1}+s)^2+\sigma _h^2}{2^{n+1}}, \end{aligned}$$

where \(\mathcal {A}'\) is an adversary which makes at most \(\sigma _1 + q + s + 1\) queries. The last relation is due to \(\sigma _1 \geqslant \ldots \geqslant \sigma _h\) and \( \mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}''}\right) \leqslant \mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}'}\right) \) for such adversaries \(\mathcal {A}'\) and \(\mathcal {A}''\) with the same computational resources that the queries number made by \(\mathcal {A}''\) is less than the queries number made by \(\mathcal {A}'\).    \(\square \)

C Proof of Theorem 2

Proof

Without loss of generality, we assume a key size k be multiple of a block size n, and \(s = k/n\).

We firstly consider the modification of the target mode – the abstract \(\text {GCM-ACPKM}^*\) mode – that works as follows. The only modification is that instead of generating the initial key \(K=K^1\) the permutation \(\pi \) is chosen uniformly at random from \(Perm(\{0,1\}^n)\). This permutation replaces the \(E_{K^1}\) function, i.e. it is used to produce the following values:

• the hash key \(H = \pi (0^n)\),

• blocks of the second section key \(\pi (D_1),\ \ldots ,\ \pi (D_s)\), \(K^2=\pi (D_1)\Vert \ldots \Vert \pi (D_s)\),

• q masking values \(Z_i=\pi (N_i\Vert 0^{n-c-1}1)\), \(1 \leqslant i \leqslant q\),

• blocks needed to process the fist sections of q messages, i.e. \(\Gamma ^j_i=\pi (N_i\Vert \mathrm {str}_{n-c}(j+1))\), \(1 \leqslant j \leqslant \ell _i \leqslant \ell \), \(1 \leqslant i \leqslant q\) (note that \(\ell _1 + \ell _2 + \cdots + \ell _q = \sigma _1\)).

The other section is processed using \(E_{K^i}\), where \(K^2=\pi (D_1)\Vert \ldots \Vert \pi (D_s)\) and \(K^i=\mathrm {\text {ACPKM}}(K^{i-1})\), \(i \geqslant 3\).

By the obvious reduction we obtain the following inequality

$$\begin{aligned} \mathbf{Adv }_{\text {GCM-ACPKM}_{E,c,\ell }}^{\text {Auth}}\left( {\mathcal {A}}\right) \leqslant \mathbf{Adv }_{E}^{\text {PRP-CPA}}\left( {\mathcal {A}'}\right) + \mathbf{Adv }_{\text {GCM-ACPKM}^*_{c,\ell }}^{\text {Auth}}\left( {\mathcal {A}}\right) , \end{aligned}$$

where \(\mathcal {A}'\) makes at most \(\sigma _1 + q + s + 1\) queries.

Now consider the following modification of the Authenticity mode (\(\text {Auth}^*\)): the adversary at the beginning of the game additionally takes as input blocks \(\pi (D_1),\ \ldots ,\ \pi (D_s)\). Note that the advantage of the adversary in this game is not less then the same advantage in the initial game since in the \(\text {Auth}^*\) game the adversary is just given more information. Thus,

$$\begin{aligned} \mathbf{Adv }_{\text {GCM-ACPKM}^*_{c,\ell }}^{\text {Auth}}\left( {\mathcal {A}}\right) \leqslant \mathbf{Adv }_{\text {GCM-ACPKM}^*_{c,\ell }}^{\text {Auth}^*}\left( {\mathcal {A}}\right) , \end{aligned}$$

The goal of this modification is to show that giving to the adversary all information about all section keys except for the first section key cannot break the authenticity. Indeed, the ciphertext calculation process influences the authenticity only by giving the additional inputs-outputs of \(\pi \) to the adversary. Key updating technique allows to limit this information only to the inputs-outputs which are used for the first section processing and producing blocks of the second section key.

For the proposed \(\text {GCM-ACPKM}^*\) mode the proof of security in the \(\text {Auth}^*\) model is the same as for Theorem 5  [22]. Below we present the light overview of this proof (for details see the original paper).

Without loss of generality we assume that \(\mathcal {A}\) is deterministic and the nonce \(N'\) in the forging attempt \((N',A',C',T')\) is one of the nonce \(N_i\) in the encryption queries \((N_i,A_i,M_i)\) responsed with \((C_i,T_i)\) (since otherwise the bound can be shown to be smaller). Thus, the forgery probability is equal to the probability of the event that \(\mathrm {GHASH}_H(A,C) \oplus \mathrm {GHASH}_H(A',C') = T \oplus T'\).

Note that fixing the transcript of interaction between the challenger and the adversary we fix all variables in this equation except for H. Thus, for fixed transcript we can estimate this probability by \(\frac{m_A+1}{2^{n}}\), since the equation has only \(m_A\) solutions in the Galois field (equal to polynomial degree). The next step is to estimate the conditional probability of the event that such a fixed transcript is realized (where the appropriate \(H = \pi (0^n)\) is conditioned). It easy to see that the fixed transcript is fully determined by the values \(T_i,\Gamma ^j_i,K^2\), which in it turns are determined by additionally fixing \(q+\sigma _1 + s\) input-output of \(\pi \). Therefore this conditioned probability should be \(\frac{1}{(2^n-1)_{q+\sigma _1+s}}\), where \((a)_b=a\cdot (a-1)\cdots (a-b+1)\). The total probability over all possible transcripts defined by \(T_i,\Gamma ^j_i,K^2\) is estimated exactly as in  [22] using Bernstein’s upper bound of the interpolation probability of a random permutation.    \(\square \)