 Hi everyone, my name is Paul Rösler and the paper about combiners for AEAD that I present today is joint work together with Bertram Pöttering. When we talk about AEAD, we mean symmetric encryption, meaning that the encryption algorithm takes a symmetric key, some message together with data that is potentially associated to this message and a nonce and the output of this encryption algorithm is a ciphertext that results when being invoked in decryption together with the same associated data, the same nonce and the same symmetric key in the same message being output, as I said, on the decryption side. This is the correctness requirement. For security we require confidentiality, meaning that the ciphertext output by the encryption is indistinguishable from a random bit string of the same length as a valid ciphertext and we also require authenticity, meaning that ciphertext output by the encryption cannot be manipulated such that they are still accepted by the decryption algorithm, meaning that any manipulation or any crafting of ciphertext by anniversary result in a rejection of the decryption algorithm. There are plenty real-world used AEAD schemes, for example GCM or OCB-3 or many newly presented in the CSAR competition and as I said, they are used in almost all modern real world communication protocols to protect the actual payload. The problem is if one of the AEAD schemes that we regularly used in practical deployment turns out to be insecure and this can be the case as, for example, the papers on OCB-2 last year showed us. So what should we do if such such thing can happen? We would like to minimize risk and one way to minimize risk is to combine multiple AEAD schemes in which we trust and thereby, if either of these AEAD schemes afterwards turns out to be insecure, then we can still hope that the other two or the other one remains secure. So in this example here, what we would like to have if we combine GCM with OCB-3 and an AEAD scheme that follows the encrypt and MAC paradigm, then we would like to have that as long as only one of these schemes remains secure the entire combination remains secure. The question is of course, how can we do this and how can we do this such that it fulfills both the security requirements, but also potentially other, for example, performance requirements? Before I explain this to you, I give you some further motivations that give you an idea why combiners are useful. For example, developers might be forced to use specific AEAD schemes that they don't trust in. Think of, for example, some standards that require triple desks used with some non-usual block mode and such developers still want to have a secure encryption or a secure way to protect payload and therefore a combiner can help to fulfill both the requirements from the standards, but also the trust and security requirements by the developers. There are other reasons, for example, sometimes proofs are not correct, for example, for the OCB-2 proof, but also a previous proof of the GCM mode has been wrong, still GCM appears to be secure, so there are plenty reasons to use combiners in reality. But for using them in reality, there might be further properties that we want to achieve with or for such combiners. For example, we would like to have few assumptions on the used underlying AEAD schemes. So ideally, every combiner works for any AEAD scheme in the real world, meaning that we don't want to assume special properties other than security, normal syntax and correctness. Also, the combiners should be very clear. So when looking at them, it should be clear how they work, how they are implemented because otherwise they are useless for solving the problems that we are approaching here. Also, the proofs should be easy to verify and validate because otherwise, again, we do not result in anything that helps us to minimize risk and establish trust in the combination. Also, we don't want to use any further cryptographic building blocks because again, this introduces something that we need to assume and trust in in order to have a secure combination. Finally, we would like to have performance, good performance particularly because if we combine multiple AEAD schemes anyways, we introduce a performance reduction due to invoking each underlying combined AEAD scheme at least once, both in encryption and decryption. And so what we would like to have is that the combiner itself does not produce any further overhead. Okay, so what we did in our work is we present or we present it four different AEAD combiners. The first one being a black box combiner, meaning that this combiner does not assume any further properties from the underlying AEAD schemes. And this combiner is as I will show you in this talk and as you can see in our paper already very performant. We provide three further AEAD combiners, a ciphertext translation combiner and two encrypt and MAC combiners that, as I mentioned, although this black box combiner is already very performant, these special combiners that assume some special properties from the combined AEAD schemes achieve even better performance. So what I mean with even optimal for the black box combiner is that for the case that we don't assume any further properties for the combined AEAD schemes, this is even optimal. So we will or I will give you a short idea of why this is the case at the end of this talk. So we begin with the black box combiner understanding how it is built. As I mentioned, this black box combiner does not assume any further special properties from the combined AEAD schemes, meaning that they only provide a generic syntax and generic security requirements that I mentioned before. Keep in mind that if we combine two AEAD schemes, only one of them needs to be secure such that still the combined encryption and decryption provide our required security properties. So the idea of our black box combiner is that it nests encryption. So the first encryption is an input to the second encryption and on the receiver side, the decryption is conducted in the reverse direction. If we look at the details, you see that our pseudocode essentially just invokes the encryption on the input message and the output ciphertext is then encrypted with the second AEAD scheme. And as I mentioned, this is reversed on decryption for achieving integrity. If we know that the outer encryption provides authenticity and integrity, then we know that the ciphertext intransmission is integrity protected. But if this is not the case, meaning that the outer encryption is not secure but only the inner encryption, then we follow the following idea. What our combiner does is it first decrypts the outer layer and then what we know by the guarantees that if the outer layer is insecure, then we know that the inner layer is secure, giving us confirmation that the inner ciphertext is indeed integrity protected. Since the AEAD scheme is deterministic, meaning that the encryption will produce if it is invoked on the same ciphertext again, the same outer ciphertext. So what we do here is we re-invoke the encryption that is also invoked on the encryption in the combined encryption. And if we know that the inner ciphertext C0 is already integrity protected, then what the outer encryption should produce if the ciphertext has not been manipulated is exactly the same ciphertext that has been input. So if the input ciphertext equals the re-encryption of the inner ciphertext, then we know that the ciphertext has not been manipulated. If it has been manipulated, then the combined decryption rejects the ciphertext. And what we obtain is a guarantee that if either of the two schemes protects integrity of the ciphertext, then we know that the combined ciphertext is also integrity protected. This idea of re-encrypting and escalating the integrity of a message to the integrity of a ciphertext can be used generically, meaning that any integrity of the plaintext can be transformed with this re-encryption to integrity of the ciphertext, which is what we prove in our paper. So this nested encryption paradigm that we use in our black box combiner is equally used in all remaining combiners for protecting confidentiality. This integrity re-computation idea is also used in our ciphertext translation scheme. What we assume for this ciphertext translation scheme is for the dark blue scheme that is sketched here in the lower left corner, is that the associated data is processed independent of the actual message. And then this process associated data is on encryption simply x-art onto the ciphertext that is produced by the encryption. And on the decryption it can again be processed independent of the ciphertext and then again x-art such that the actual ciphertext can be processed. And this gives us a performance increase on the decryption side, which I will show you in a second. So first observe that due to encrypting twice on combined encryption in our black box combiner and then decrypting twice on the decryption side plus one encryption, the processing of this combiner is as follows. We process data in the size of the message twice on encryption and twice on decryption and twice some data that is associated to the message on the encryption side and tries on the decryption side. And it is clear that anyways we would need to invoke each underlying encryption scheme once and each underlying decryption scheme at least once if we want to have the guarantees away combiner, which gives us the an idea why our encryption is already optimal, but the decryption of course invokes once an algorithm more. We will see that this is actually inevitable for black box combiners. As I mentioned, the ciphertext translation can exploit the way that the encryption and decryption for such ciphertext translation schemes work and therefore we obtain optimal performance regarding the processing of data both on the encryption side for message and associated data and on the decryption side only for associated data, meaning that we achieve even better performance. For our encrypt and MAC combiners one and two on the right side, we assume that either one underlying scheme or even both underlying schemes follow the encrypt and MAC paradigm, meaning that the light blue and the purple AEAD schemes are essentially encryption methods and MAC methods. And what these schemes or what these combiners do for achieving integrity is on the one hand for the for the first encrypt and MAC combiner that either the outer encryption or an attached MAC tech from the encrypt and MAC scheme protect integrity, which is then verified either by the outer decryption or the MAC verification on the combined decryption. And for the second encrypt and MAC combiner what we do is we again nest encryption as for all our combiners and then compute MAC techs with both MAC schemes from both underlying AEAD schemes and simply XOR them and thereby on the decryption combined decryption again these MAC techs are verified and if either of both protects integrity then we know that the entire ciphertext is integrity protected. So what we do with our encrypt and MAC combiner number one is that we distribute the computation processing performance equally between combined encryption and combined decryption. And what we achieve with our second encrypt and MAC combiner is that the transmitted ciphertext is optimal in terms of the transmitted size of the ciphertext because the ciphertext contains on the one hand the nested encryption of the message which is in size of the message plus the overhead that is potentially applied due to encryption which is usually negligible plus the size of the longest of both of the MAC techs which is potentially optimal if the MAC techs are optimal in size. Okay so what we see here again is the performance of all of our four combiners you can see the details in our paper. What I would like to look at now is the optimality of processing of the underlying AEAD schemes for the case that we don't assume any further properties from the underlying AEAD schemes. What I mean by that is the question of whether our black box combiner is potentially even optimal even though the decryption the combined decryption invokes one of the underlying schemes more than only once. What I mean with optimal is here we see that the theoretically optimal variant of a combiner would invoke each underlying algorithm at most or exactly once both on combined encryption and on combined decryption but the question is whether there exists any combiner that can essentially only use each underlying scheme exactly once so whether this is possible because if it is not possible then our black box combiner is essentially already optimal because what we do is we invoke each underlying algorithm exactly once plus one further invocation. Okay in order to analyze this we consider all possible variants to combine AEAD schemes. These variants of combining AEAD schemes can be categorized into the following two categories on the one hand synchronized combiners that invoke both underlying AEAD schemes on the encryption side in the same order as well as their decryption algorithms are invoked in the combined decryption and the second case is the reversed case where the encryption on the combined encryption is invoked in the reversed order of the decryption. Okay so what you can observe here is that all remaining cases of combinations can be reduced to either of these two cases. Okay so for showing that there exists no such combiner that only follows either of these two variants in order to provide the guarantees that we want to have from a combiner meaning that only one of the underlying schemes needs to provide security such that the entire combiner is secure. We consider four different weak AEAD schemes that we combine with arbitrarily strong AEAD schemes and we show with these weak schemes that in any case in which one of these schemes is combined with a secure one a combiner cannot achieve security. Okay so these four AEAD schemes are as follows they all attach on the encryption side a bit in case A the last bit of each ciphertext is a zero bit and this last bit is also verified on the decryption side for the AEAD scheme number one or number A. The B AEAD scheme attaches always a one bit to every ciphertext and also on decryption again it is verified whether the last bit of a ciphertext equals one. The schemes C and D behave equal to the ones from A and B meaning that C always attaches a zero and D always attaches a one on encryption side but on decryption both these schemes are tolerant meaning that they just ignore the last bit that is attached to the ciphertexts on encryption side and what we show then in our proof is that a combiner can not distinguish cases A and B from C and D such that it can react on the potential tolerance of of decryptions for cases C and D. So what we essentially show is that the cases A and B behave equal to the ones of C and D on encryption side and thereby the combiners cannot do anything on encryption side to protect anything that follows in some potential forderies and then on the decryption side the combiner cannot understand under which of the on which of the weak schemes the encryptions the combined encryption has been processed and thereby also the combined decryptions cannot yeah prevent any forderies of ciphertexts in transmissions. So what I essentially mean with forderies is you see here that of course the last bit of a ciphertext can in cases C and D simply be manipulated and thereby forderies can be more or less trivially produced by adversaries and what we show in our proofs is that if a combiner protects against such forderies in cases C and D this combiner cannot achieve correctness in cases either scheme A or scheme B is combined with a secure one and since we since we require both correctness and security from our combiners such a combiner does not achieve either security or correctness and thereby is not a sufficiently secure or correct combiner. I will provide further details and ideas of how our proof proceeds that uses an adversary that generically breaks authenticity based on the ideas that I just sketched regarding forging ciphertexts due to the tolerance of decryption or indecryption of ciphertexts in cases C and D meaning that the weaknesses of the weak AEAD schemes combined with secure AEAD schemes can be generically exploited to break any such a combiner that only uses the encryption once and the decryption once of each underlying scheme. So this adversary proceeds as follows it first traces the computations inside combined encryption and decryption. These tracings can be conducted for the processes before the secure encryption and the secure decryption for the synchronized case and before the secure encryption and the secure decryption on the reversed case giving us on the reversed case even further ability to trace computations even after the decryption with a weak scheme. Due to tracing all these computations the adversary obtains all necessary information that is known here before the encryption with the weak scheme in combined encryption bowl in both cases in the synchronized one and in the reversed one. So if the adversary only once observed an encryption of the combination of weak and secure scheme and thereby observation means that only the adversary can choose a message some nonce and some associated data and obtains a ciphertext then with all this data the adversary obtains all information that has been known by the combiner exactly before the encryption with a weak scheme was invoked. What the adversary then does is replacing in case it was an encryption under case A this encryption with case B which so here the weak scheme or the potentially weak scheme A is replaced by scheme B which anyways equals on the encryption side a replacement of case C with case D. So we can do this in either direction so either we replace D with case D or C with D which is equivalent to replacing A and B on the combined encryption side but due to being in cases C or D this allows a ciphertext forgery essentially processing everything after this star here in the valid combined encryption and then as I said replacing this encryption here and then processing the combiner validly until the end gives us a forgery with which the adversary did not obtain anything else from the victims then a valid ciphertext to a chosen message on the chosen nonce and associated data. So with this forgery the adversary invokes the combined decryption and as we prove in our paper which you can see for the full details the combined decryption cannot distinguish cases A and B from the cases C and D because combined decryption was not able to do this as well. So this gives us the or this especially gives the adversary an opportunity to in any case produce a valid forgery just by obtaining one chosen or one ciphertext on chosen inputs of message associated associated data and nonce. With this generic adversary we know that a combiner can not only encrypt in combined encryption with each underlying scheme once and on combined decryption decrypt with each underlying scheme exactly once and as a result as I mentioned before our black box combiner is already optimal. You see here all the remaining performances of our combiner again as I mentioned before the ciphertext size for our second encrypt and MAC combiner is also optimal meaning that we provide practical combiners for use in the real world. All the details of our work can of course be found in the full paper which is available on ePrint and you can always contact me via email or via Twitter. Thank you very much for your attention.