 So, Michael, for the session, it's open state description with variable stretch. Yes, so there are... Thank you. Thank you for the introduction. This is a joint work with Serge and Reza, more both present, so if you want to ask me questions later, you can do it. And what we looked at was authenticated encryption with variable stretch, as the title says. We already saw some introduction about authenticated encryption in the previous slide, sorry, in the previous talks, so I'll just quickly skip through the introduction. We saw that authenticated encryption gives us confidentiality and integrity at the same time, using a symmetric key. And in this work, we focused on nonce-based authenticated encryption with associated data. And schemes like this have both encryption and decryption algorithms, which are deterministic, and use a non-repeating initialization vector to achieve semantic security. And they also allow us to process what we call associated data, which is just a string that needs to be authenticated but not encrypted. And schemes like this, so this is a quite old notion, but it's very popular because it allows us to construct schemes which are efficient, simple, but secure at the same time. And we have schemes of this type, both deployed and competing in the CSAR competition, still in the third round. A small caveat of these schemes is, however, that they are what people these days would call brittle, because if they are not used exactly as they are supposed to be used, we can have the security collapse on us maybe unexpectedly for a regular user. A most notorious example of such a brittle behavior is the nonce misuse. We have studied this problem a lot, and it's been treated extensively in literature. Another example is the decryption misuse, where a user might release a putative plaintext before it is verified, and this has disastrous consequences as well. Another approach we have seen in literature is to define a very strong notion which would treat any misuse that we can imagine, but a consequence of this approach is that it's not easy to achieve this security. So maybe we can't have robust schemes for all applications. And another type of misuse that we studied in this work, in context of nonce-based authenticated encryption, is the stretch misuse. The term stretch simply refers to the number of bits by which we expand the ciphertext compared to the messages. This quantity has to be non-zero, to have meaningful guarantees for authenticity. And related to this, a very basic intuition about security of A schemes is that whenever we expand by tau bits, we expect the adversary to have to do about two to tau forgery attempts before it succeeds. And for all nonce-based authenticated encryption schemes, this ciphertext expansion is considered to be a constant parameter, and this is assumed both in the design and in the security analysis. And so stretch misuse would be simply the case where a user would use several different values of stretch with the same secret key. Now, a very necessary question before we started this work, we asked ourselves, is it worth investigating this? Like, is this really a valid misuse scenario that can occur? Or is it just yet another A notion to add to the collection? And it is interesting for several reasons. The users might have incentives to do this, so there are several usage scenarios where it would be very useful and nice to have this, so to speak, sliding scale authenticity, you don't have to re-key your algorithm, but you can maybe decrease the stretch save on the bandwidth and then increase it again when you need bigger authenticity guarantees. When the users decide to do it, there is almost no implementation barrier which would stop them from changing the algorithm because the tag is usually just truncated. And most importantly, there are some attacks. So if there is an attacker who has access to several instances of the same algorithm with different values of stretch, the security might not behave intuitively for the users. And in fact, we were not the first ones to have noticed these things. The first mention of such counter-intuitive behavior comes from 2013 from what turned out to be a long discussion on CFRG Forum where Manger noticed that if we take OCD algorithm with 128-bit tags and 64-bit tags, what happens if we use it with the same key is that whenever we get an encryption query with 128-bit of tags, truncate this tag and submit it to decryption with the shorter tag version, this will always be a correct forgery. If we look at how OCD works, this is not surprising at all because the tags are simply truncated when they are computed. This breaks the intuition for the users and this opinion was also voiced in the forum where people have said, well, maybe it would be better if we could avoid such interaction. Consequently, several algorithms in the CSER competition received heuristic tweaks where the tag length has been mixed into the encryption algorithm by dropping it either into the nonce or associated data. But no real analysis was done. And unfortunately, even with these countermeasures in place, most of the schemes will still be vulnerable because most of these schemes that have been mentioned on the previous slide follow the paradigm of ciphertext translation. It might look a bit scary, but what it is really is just a way to take an authenticated encryption scheme which can only process nonce and the message. We have an encryption algorithm which gives us a stretched ciphertext and we want to authenticate associated data. So what we do, we just compute a keyed hash of this associated data of constant length and bits truncated to tau bits XOR to the end of the ciphertext. This works if the stretch is constant. If not, we can use this nice property where encrypting the same query which differs only in associated data gives, well, so we have these two ciphertexts and when we XOR them, this gives us the truncated difference of the hashes of these two associated data which depends only on the key and associated data. And then if we have an attacker who has access to several instances of this algorithm using gradually increasing value of stretch and wants to forge for the longest value of stretch, the adversary can gradually build up this forgery. This is the attack, it's ugly, I won't go into the details, but the bottom line is that the attacker has to first exhaustively search for the first tau bits of this difference and tau one is the shortest value of stretch the attacker can work with. Once we have this, we switch to queries stretched by tau two bits and we can shorten the ciphertext expansion value that we have access to and we just iteratively exhaustively search for the next bits that we don't know using the bits that we have already learned and this repeats and repeats until we have to find the last remaining bits that we don't know, tau L minus tau L minus one which are two longest values of stretch and we have our forgery and what can be counterintuitive for the users is that we only do two to this many queries with the longest value of stretch and now this is pretty worrying because if this is 128 and this previous one is 96 the forgery cost is 2232 and as I promised this works even with the countermeasures in place so if the tau is encoded in NOS this works for any hash it works in associated data it works for a very frequent type of the hash and this clearly indicates that we'll probably need systematic treatment of the problem so when we start and we want to formalize security of authenticated encryption with variable stretch there are some pretty intuitive properties that we would like to see from our new notion clearly there will be some space of possible stretches that our adversary can work with what we want is that the previous attacks will be captured in the new notion of value of tax we want to show we want to appear like if there are any interactions between different values of stretch we want these to appear in the advantage and at the same time we would like that the security level that will be captured by the new notion can still be achieved by efficient schemes nice and efficient like we know from the basic non-space AAD what is less intuitive is how should we formalize this it's not so easy to find an ideal system for the notion because the starting point so what we started from was the security definition for non-space AAD from 2002 actually it's a slightly different version but this is what most of the schemes follow so we defined a security of such a scheme with a security experiment where an adversary who tries to break the A security of our study scheme is left to interact with two black box oracles in the real world these would be the encryption and decryption algorithm initialized with a secret random key and in the ideal world these would be replaced with a random bits oracle for the encryption and an oracle which rejects all the forgery attempts and the adversary is restricted not to repeat nonsense in its encryption queries and not to attempt the trivial forgery in the decryption queries and then we defined the advantage of the adversary in breaking the security of the A scheme like this importantly also in this game the ciphertext expansion is assumed to be constant and thanks to this the game is nice and intuitive it makes a lot of sense to see why things are defined the way they are but when we try to extend this to the case where there are several values of stretch at the same time it becomes a bit more complicated to see why try to consider what would be maybe the first intuitive attempt to formalize security with variable stretch so apparently the adversary has to interact with several instances of the algorithm that are available in parallel they are using all the possible values of ciphertext expansion from the stretch space and we restrict the adversary to not repeat nonsense with every expansion but what we do in the ideal world is not so clear what we could try is to say in the ideal world we just replace all the encryption oracles with random bits oracles and all the decryption oracles with always reject oracles but unfortunately this notion will not capture what we wanted so if there are some interactions which are maybe useful with the biggest values of stretch if you want to do forgeries there we won't see this because there is always a trivial attack on the shortest value of ciphertext expansion so this notion doesn't work for instance the gradual forgery would not appear as a valid attack in this case because we can't use the decryption oracles and even if you overcome this problem there are some other problems which appear on the way and I will just fast forward to the notion that we have end up with and this is what we define so our notion is called NVAE N comes from non-space and B comes from variable tag you get the idea but it differs from most of the conventional notions for authenticated encryption in that it is parametrized so now our notion takes a parameter tau c this tau c is one of the possible values of ciphertext expansion that the adversary can use and we just say that when we take tau c it is fixed throughout the security experiment at the same time we say that tau c is arbitrary so we only say take one of the ciphertext expansion values that you have set it as the challenge for the adversary so the adversary is trying to attack this particular ciphertext expansion value but it still has access to all the other expansion values and how we define the security experiment is in the real world we have all the instances with all the values of ciphertext expansion which are at the disposal of the adversary the adversary can ask encryption queries decryption queries it mustn't repeat the nonce for the same ciphertext expansion value but maybe it can be repeated for different values and we only ask it not to do trivial forgeries for queries expanded by tau c bits but not for the others in the ideal world we leave all the oracles the same so the instances that are stretched by not tau c bits will be exactly the same as in the real world only the tau c bits stretched queries will be treated with idealized oracles with a random bit oracle reject oracle and then we define the advantage in nvae tau c of the adversary like this so what does this model capture? does it capture anything meaningful at all? the answer is it does and what we see when we have a proven bound for nvae tau c is the exact level of security that we guarantee for the queries that are stretched by tau c bits to see why think about the restrictions and the two worlds the adversary has to work with we didn't restrict the adversary too much for all the other expansion values it can even do forgeries it can take the shortest ciphertext expansion that is in the stretch space it can forge, it will probably be easy but this doesn't help the adversary to distinguish the two worlds because this is the same in both worlds but maybe this will help the adversary to collect some information that will be useful in attacking the target stretch value and this the queries to the stretch tau c bits will be the only thing that can help the adversary to really distinguish the two worlds at the same time if we can prove a bound that is independent of a particular value of tau c so we only assume it's fixed throughout the experiment but we say oh well it will work like this for any value of tau c what we will see is that the scheme behaves as expected for every value of stretch and this is what we wanted to capture in the first place so how would a good advantage look like if we managed to prove something in the model so what we would like to see is an advantage which has these two main components one component will be this term which grows linearly or maybe quadratically with the number of decryption queries made with tau c bits of stretch and this is something that cannot be avoided because if there are just tau c bits of redundancy after two to tau c queries you just guess it but we want that it doesn't decrease much faster than this and then there will be some other term which probably comes from the construction but this should not depend on tau c directly or the resources related to tau c for instance for a typical block-cypher based construction we would see a birth data bound like this where sigma is the total amount of data processed with all the values of stretch because the adversary just learns about the used block-cypher what our model doesn't say is that using short values of cypher text expansion is okay well if you use short tags you don't get much security and this will also show in the advantage when you substitute tau c by a small quantity when we then look back at the two attacks that I have presented we see that these are captured as valid attacks for the truncation forgery on OCB we see that we have constant small resources and advantage equal to one we focus on tau c so we set tau c to 64 bits we have access to 128 bit encryption oracle in the ideal world we will never forge in the real world we will always forge so we have advantage of one compared to what we would expect here or in the gradual forgery this is a bit more involved but what we see is that most of the queries or most of the resources are spent values of stretch different from tau c so a user might not suspect that if a lot of activity is spent on the other values of stretch the chance to attack the target stretch will be too good but in fact we see the advantage is one again compared to what we would expect which is this and maybe to see what it is exactly I have this small example imagine that we are using an A scheme for which we have 32, 64, 96 and 128 bit tags and for the value of stretch so for the 128 bit tags we only do 2 to 32 decryption queries so the advantage we would expect from a good scheme in this model would be 2 to minus 96 not one and except for defining security with variable stretch we also show that it is possible to achieve the security in this model and to help in doing this we also define an auxiliary notion we call KESS and what this notion captures is a property where an adversary cannot distinguish if it is interacting with many instances of the same scheme with different values of stretch by the same key or if all these instances are using independent now this property alone will not give you A security but if it is combined with the conventional A security of the scheme this automatically gives you NVA security so this is a theorem we proved and this is pretty useful if you already have a scheme that is working well as an A scheme for instance OCB you already have a well established proof of security and the only one to tweak it to make it secure against variable tag so maybe you just tweak it you prove the KESS property and your analysis is done and this is what we do to show that this type of security can not only be achieved but when we achieve it the scheme will still be efficient and fast as we like it we take OCB and we modify it by putting the tag length in all the tweaks to do this it is actually very easy to prove the KESS property because the OCB is based on tweakable block ciphers so encoding the tag length in the tweaks will just separate all the instances and the NVA security just follows very easily also the modification that we proposed should not harm the efficiency too much so the overhead will be very low we have not tested this but we are pretty confident that this is the advantage that we see and we see that it has exactly the expected form we have the term which grows linearly with number of decryption queries made with stretch tau c and we have this ugly term which comes from the construction but we see that it only depends on global resources so total number of queries everywhere the size of the stretch space but not queries made to the challenge expansion and what is nice on what we proposed is that it can be applied not only to OCB but to a bigger class of schemes so all the schemes which are based on tweakable primitives which is quite a big class of schemes some of them are already present in CISA competition and it's time to wrap up so what we did in this work is that we have formalized the security of authenticated and non-based authenticated encryption with variable stretch we have established the relations of our notions with the existing notions so that we have a nice picture of what belongs where and what are the relations we have shown that this type of security can be achieved and that in fact it can be achieved very efficiently what we have not shown is how to take any existing non-based AE scheme and transform it into an NVAE secure scheme in a black box efficient way so maybe this is possible maybe not we have not investigated this problem and before I conclude I just want to very quickly say that our lab is looking for postdocs right now so if you are interested or if you know someone who is interested just drop us an e-mail thank you for your attention question Hi everyone I have a short announcement for the excursion this afternoon if you want to go with us then we are going to gather