 Hello, my name is Ashlyn Connerly, I will talk to you today about key correlated attacks. This is joint work with Bria Farshim, who is now at the University of York, and with Georg Vuxbao, who is now at TU Vienna. This was all carried out while the three of us were together at ENS, and while I was doing my PhD. And for me, this was quite a whirlwind introduction to symmetric provable security. So if you come with me now, I'll give you a little tour of what we discovered in those days. So any first foray into the playground of symmetric security was used, stumbling upon three algorithms, one being a generation algorithm, which outputs a key K, an encryption algorithm, which takes an input, a key K, a message M, and crypts the message under the key and outputs a cybertext, and a decryption algorithm, a deck, which takes as input, the key K, a cybertext C, decrypts the cybertext under the key and outputs the message. I show you this picture now because this will form kind of the basis for many of the ideas that I tried to explain later on, and I'll update it to show you how things advanced over time. And so when we think about cryptography, one of our main concerns is security. And the way that we try to model security is by imagining an adversary interacting with our system. So many of the ways that I will try to explain this security is via, you know, showing you this adversary and how they are interacting. One of the first notions of security was a CPA security whereby an adversary had access to an encryption or a code to which they could query messages and from which they could obtain cybertext. And so when we want to try to see what an adversary can learn from these interactions that has different definitions. And in this work, we will work almost entirely with idealized models. So our question to the adversary would be something like, can you distinguish whether or not this message was encrypted using a real encryption scheme or an ideal encryption scheme? So CPA was introduced already in the public key setting by Goldwasser and McCauley in 1984 and later was formalized in the symmetric setting by Badari et al. in 1997. And so when we define security, it's nice to take a moment of reflection to say, is this good? Actually, does this actually model what happens? And already with this, we can see that, you know, maybe before in the picture we had this decryption algorithm. So maybe it would be nice to give the adversary access to a decryption oracle. And this is exactly what was done with a CPA security. So the adversary was given access to a decryption oracle to which they could query cybertext and try to distinguish whether they were interacting with an ideal or real encryption. And so you start to see a trend emerging that we are interested in giving the adversary more and more power because the more the adversary can see, the more that we can be confident that our systems are secure. So us, the almighty cryptographers are building super strong secure crypto systems. So we want the adversary to have all the power in the world and for us to claim that we still have security. But when we want to give this power to the adversary, how should we start to think about it? And one of the ways that we do this is by looking at the real world actually and seeing how our encryption schemes work in practice and seeing what kind of situations can arise there and then remodel those. So one such situation is the key dependent message setting where, for example, imagine you want to encrypt a hard drive often your key is stored on your hard drive and if you want to encrypt the hard drive onto that key, you're essentially encrypting your key under a key and this sort of circular security issue here. So this was modeled in the key dependent message setting. And as you see, the picture has been slightly updated but from similar to before in the sense that we have a generation algorithm which generates a key k star which acts as input to the encryption algorithm. But now we have this introduction of a function psi which takes this input, the key k star and outputs a key dependent message M which then is input to the encryption algorithm and is encrypted onto the key and outputs the ciphertext and the encryption remains the same. So how does this look from the adversary's point of view similar to before in that we give them access to an encryption oracle except now they will query psi instead of a messages and so this psi takes key k star and generates a key drive message and as before they have access to the encryption oracle also. So the need for KDM security was already hinted at in the original Golvasa-McCally paper but first of few appeared more formalite in the Kamanesh Lysanskaya paper in 2001 where they talked about anonymous credentials and it was formalized in the random oracle model by Balarey-Rogway in Shrimpton in 2003 and it was shown feasible in the standard model in 2007 and there was KDM Secure Authenticated Encryption by Balarey and Keele VD in 2011 and from this paper we take quite some inspiration for some stuff later on I will show you. There was generic block ciphers construction in 2011 and in 2017 the ideal cipher and iterated evamancer were shown to be KDM Secure and so another setting that is kind of similar but instead of now using a function to generate key dependent messages here we use a function that generates related keys and so this can arise for instance naturally and by design let's say in block ciphers by a key scheduling or it can arise adversarially let's say through something like fault injections and so picture remains similar to before in that generational algorithm generates a key k star but now this is access and input to this function phi which outputs a related key which is used as the input to encryption along with the message outputs a psychrotech c here similarly for decryption it takes as input a related key k psychrotech c and outputs a message m so how does this look from the adversaries perspective again similar we give the adversary access to an anchor oracle the adversary can query messages but now the message is encrypted under related keys and similarly for decryption and so related key security was kind of introduced in the early 90s by Knudsen and Bjamm and formalized in 2003 in 2009 there were some high-profile related key attacks against AES which must have been very exciting at the time in 2011 the idea was extended to capture idealized models in 2011 we also given a comprehensive treatment and in 2015 there was a series of works that proved orca a security for Feistel Evan Mansur and so now a question since we are so interested in giving the adversary lots of power is can these attacks actually be combined can an adversary be clever and actually try to mount these attacks at the same time that's kind of the main question that we try to answer with this work and one of the first things we try to imagine is you know before in the KDM setting in the orca setting we had fun functions phi and psi that would generate key dependent messages and related keys is there a single function that we can do that would generate related keys and key dependent messages and so first imagination of the picture would look something like this this is kind of our first go at the key correlated setting where generational algorithm outputs a key K star and now we have a function XI which takes as input the key K star and generates a correlated key and message pair and so this correlated key and message pair then used as the input to encryption and it outputs a cyber text is normal and similarly on the other side we have a correlation derivation function XID which on input K star outputs a correlated key and cyber text pair which act as the inputs to decryption and it outputs a message so this seems like a nice goal and so in this work that's exactly what we do we give a concrete treatment of or K a plus KDM at the same time under the one heading for symmetric primitives and so if you'll allow me a brief moment of interlude to talk about grammar maybe over the years you have seen people say that okay look we have looked at CCA or K and KDM as you saw on the previous slides there were long lines of work on each of these topics and so you know maybe we have it all covered but to which I say no actually you've looked at CCA comma or K a comma and KDM and so here we try to actually look at RK KDM together so if anyone ever complains to you about the usefulness of grammar you can say well a well-placed comma can lead to separations in cryptography but anyway this work is more than just me playing with commas as you saw before there was a long line of works and you know KDM most notably arises in disk encryption RKs as I mentioned before can arise either by design or due to attacks so what about KCA can this actually arise in practice or in real life does it make sense as a notion and we think it does and so we you can start to imagine let's say if an adversary tampers with a key on a disk then you are trying to really encrypt related keys on key dependent messages so this can be a kind of a strange situation that is now covered by either related key attacks or KDM message attacks and also there's a conceptual motivation in that it would be nice to give a unified approach as I said there was kind of a long line of work so there were many ideas floating around about all of these topics so in this work we tried to give a kind of unified approach and just cover everything in one umbrella so yes we introduced this new model of security which we call key correlated attacks and we try to show what happens in there so how does this look from the adversary's perspective similar to the RK and KDM setting in that the adversary has access to encryption and decryption oracles except in this case now the adversary will query these size and so for encryption it takes XIE which takes a key K star for decryption it takes XI D which takes a key K star and so under the hood a little bit this XIE which takes the key K star will output key correlated key message pair and for decryption XI D will output key correlated key cybertext pair and so these correlation derivation functions are derived from these correlation derivation sets as normal and this has been done since the all the previous work in KDM so how might security look in this setting it's similar to CCA it's just a little bit changed as you can see the challenger will generate a key K star from Gen it'll pick a bit B the adversary then will choose XIE and it will send this to the challenger this XIE will be taken as input to key correlated encryption oracle which depending on the bit B will output a cypher taxi which will be returned to the adversary under the hood a bit how does this key car KC Inc oracle look well it takes as input the XIE function which takes as input the K star which it then outputs a key correlated key message pair these key message pairs so then this message is encrypted under this key depending on the bit B either in real encryption or an ideal encryption and the cypher text is returned then the adversary also has access to this KC deck oracle which it queries with XI D and so under the hood of this it's similar as you can imagine XI D takes as input the key K star outputs a key in a cypher text the cypher text will be decrypted under this key K depending on the bit B either in with a real decryption or an ideal encryption and the message is returned to the adversary the adversary can do many many of these interactions and then eventually will output a bit B prime and will win if B prime equals B so question then is are all queries allowed and the answer is well no we can't do and then deck queries we can't do deck then ink queries but this note is for the same key and so when I say the same key I mean these two queries these two keys here so now that we have a notion of key correlated attack setting and we kind of have a definition of what security might mean in that setting it might be nice to ask are there any actual box ciphers that achieve this notion of security the first place to look would be maybe at the ideal cipher itself so the first kind of main result in the paper is that yes the ideal cipher is key correlated CCA secure if these two correlation derivation functions satisfy some properties so what about those properties and the first one is key on predictability which simply says that the adversary can't guess the keys that are output by the size and another one is claw freeness that says the adversary can't find collisions between two different size and these notions are kind of well understood and well accepted as they arise in the KTM and RKA setting so it should be no different that they arise here also but here we need actually one more property to be achieved and if you will come with me now I'll try to explain a bit about what that is and I'll try to ask you via question so imagine that we query xie to kcank one question is what might happen later when we query xid to kcdeck so just as a reminder what happens with kcank is that it takes as input xie xie then takes the key it generates a key in a message the message is encrypted under this key and it returns a ciphertext with kcdeck the xid is taken as input it generates a key correlated key and ciphertext pair and the ciphertext is decrypted under this key and it returns a message so some kind of strange stuff starts to happen here I wonder if you can see already so here we have a key and a cipher to so a key generated by the xie and it return it in turn generates a ciphertext and here we have a key ciphertext pair and so we need to make sure that at least these kind of claws that occur across algorithms can at least be detected so that we know when to perp and that the adversary is making bad queries and so because this kind of happens across algorithms with these kind of different keys we call this xkcd which is cross key claw detectability and we just need to be able to detect these claws across algorithms we don't need to ensure that insure clawfreeness and so how might this look if an adversary is trying to break it the adversary tries to guess xie, c, xid and an m such that you know we have some detection algorithm that can try to detect these cross key claws and so how that works is that we have this xie so if we take the first component of xie on input k star which would be a key k together with the ciphertext that is generated by the encryption algorithm run on the key generated by xie if this is the same as the key ciphertext pair that are generated by xie the run on k star and it's not detected then the adversary has broken the xkcd requirement or on the other hand this also works on the other cipher decryption so if the first component of xid on input k star so this will just be k and the message obtained by running decryption with the key if this is equal to the key message pair output by xie if they are the same and the tech doesn't notice then the adversary wins and the bit is set to one so overall if xie and xid each satisfy key unpredictability and claw-free-ness as are required by kdm and rk and if the pair xie and xid satisfy xkcd then the ideal cipher is kc cca secure so all good quick overview of the proof if we don't look at deck for if we just look at encryption for a second via the kcank oracle the adversary has access to an ideal encryption to which it queries xie but because we're working in the ideal cipher model the adversary also has access to a public ideal encryption and ideal decryption and so if we want to ensure that key unpredictability let's say holes we need to be sure to kind of keep consistency across these because the adversary can query this many many times and it may end up getting some key message pairs which are generated by here so if the adversary does that then it breaks the key unpredictability requirement and so later on the adversary also may send xie prime e a different xie to his ideal encryption and here we want to ensure that the cloveriness property holds and so again because they have access to a public ideal encryption and ideal encryption and we say that if some clause across here if the adversary can find collisions across these then we break the cloveriness property and again as I explained before we need to keep consistency kind of across the iank and ideck and xie and xie and if not we will break the xkcd property so in case these love hearts are too cutesy wootsy for you and you prefer some more details on the proof you can look in the paper where we try to write things in this game-based notation where we progress from the real setting to the ideal setting and I will just show you where the kind of bad events arise but hopefully we try to write this comprehensively which may seem silly now as I put it all on this slide but yeah hopefully it's clear so now that we have shown that the ideal cipher can achieve KCCCA security actually it maybe it's a good time to ask do any such xie xie d correlation derivation function sets actually exist because if not we have quite wasted some time but luckily the answer is yes because we just look at the XOR sets that work for the KDM and RKA setting and we show that they actually do satisfy the three properties that we need so all is good we have something that is actually useful so then the next question turns to what about actually concrete ciphers as you saw from the line of works before a lot of people actually looked at or there were a few works on the looking at the evamancer cipher because it's nice to study and it was shown that two rounds were sufficient to achieve KDM security and two rounds were sufficient to achieve RKA security so the natural question is whether or not two rounds are sufficient for KCA security and unfortunately the answer turns out to be no there is an attack on two round evamancer in the KCA setting so suppose we give you a brief overview of the attack suppose we have a KDM encryption that looks like this and so we have independent permutations and we have repeated keys if we let some delta some offset be defined as permutation on the zero string x or the permutation on the one string and if we define a ciphertext to be with the key component key x or this delta and the message component to be the key x or delta x or the one string what happens when we expand this we see it looks like this where we can then take the delta together with the permutation on the one string and replace it with the permutation on the zero string and then this whole thing now starts to look very much like what we had up here and lo and behold it is and so we end up with an encryption of the key under the key offset by a known value which is not very good because then we can just kind of decrypt and remove the known value and get the key in the clear so this is quite bad yeah so two rounds are not enough and the next question then is how many rounds are enough and we show that actually three rounds are necessary insufficient so that's cool it's not too much worth and yeah so three rounds are necessary insufficient with independent permanent independent permutations and repeated keys so this is great now before I kind of go there is one last result in the paper which is where we decided to look at a so we really tried to cover all bases here and instead of looking at a e alone we look at a e a d because we're trying to stay up to date and then we tried to be secure by looking at it in the multi-user setting and then we try to be more secure by looking at it in the misuse resistance setting and I'll just show you briefly what happens here the picture of the view of the adversary looks similar to before in that they have access to the encryption and decryption oracles except now the query XI e on K star and here under the hood this XI e actually now generates a key correlated key message nonce and header set and similarly for XI d it generates a key correlated key nonce and header so here we could have the it was a design choice to have the C on the outside and put you know it can happen that you can generate a key correlated ciphertext but we somehow feel that felt that it didn't really make that much sense so anyway are there any secure KC CCA secure a e schemes out there well we show a generic transform that does achieve this security and this transform is very much based on the transform in the ballerica elvide paper from 2011 that I mentioned earlier and so all you do to achieve this is you just hash the key with the nonce and we show security for this so if if the XI e anxiety satisfy key unpredictability and so that brings me to the end of the tour which was quite as I mentioned at the start a whirlwind so we given you kind of setting up for KCA attacks in the paper also I didn't mention now but we show relations that KCA applied implies both related key attacks and key dependent message attacks and there are separations in the sense that key correlated key correlated attacks are strictly stronger than the other two put together we've shown feasibility in the ideal cipher model we've shown that three rounds of iterated Monsour is needed to achieve KCA security we give a generic transform that transforms authenticated encryption scheme into a KCA secure authenticated encryption scheme and some other fun stuff along the way which I will stop talking about now so I hope that was fun for you it was fun for me if you want to know more details you can see them in the paper which is on a print and on the program for this conference and it's under 2019 slash 1000 it's nice and easy to remember if you want to ask us any questions you will find all our details there and yep so I hope you had a nice conference I'm sorry that we couldn't be together I'm sitting at home and it would be much nicer to be in Greece but I hope that we can see each other soon goodbye