 Okay. Hello, everyone. Good evening. I'm Sriram. I'll be talking about authenticated encryption of key-dependent data. This is joint work with Mihit Belare. Classically, the security of encryption schemes has been captured by the indistinguishability under the chosen plain text attack, or the INDCPA notion of security. This was introduced by Golvasar and Mikali in 84 in the public key setting, and later by Belare and others in 97 in the symmetric key setting. Now, over time, we have gained a lot of confidence on INDCPA, and we would regard it as sufficient for many practical applications. But INDCPA comes with a caveat. Messages cannot depend on the key. Now, there are certain applications where we would like security even when the message depends on the key. If we had this kind of security, we could get anonymous credentialed schemes. This was shown by Kaminash and Lishansky in 2001. A year later, Black, Rockaway, and Shrimpton showed connections between key-dependent messages and formal methods in cryptography. Now, they modeled key-dependent messages by deriving the message from the key using a message-deriving function, phi. It turns out, apart from these applications, there are several practical settings in which key-dependent messages arise. Disk encryption tools like BitLocker sometimes end up storing the key used for disk encryption on the disk itself. Often, these keys are derived from the user's passwords, say, with a hash function, and this password could be lying on the disk, and sometimes the hash of the password could also be lying somewhere on the disk. Because of concerns like these, the IEEE standards for disk encryption, IEEE 1619, rejected one of the candidate schemes they were considering because that scheme had a prominent KDM attack. This is kind of an indication that KDM security is important in practical concerns too. More generally, we cannot expect users or designers of systems to ensure that the key and the data are not related. Rather, we want to design cryptosystems which are secure even when the key and the messages are related to each other, and this is about misuse-resistance and getting robust cryptosystems. Anyway, coming back to the work of Black, Rockaway, and Shrimpton, they extended the standard indistinguishability under the chosen plaintext attacker, INDCPA, to consider key-dependent messages. They provide models, definitions, and they show that this notion, KDM CPA, there are schemes which are secure in this notion. They describe the following random model scheme. And subsequently, there has been a lot of work in KDM about removing this random model and getting standard model schemes which are KDM secure. If we look at these schemes, we find that they are usually, they consider security for restricted classes of message-desiving functions, and they are inefficient and impractical. On the other hand, cryptographers have asked about the possibility of key-dependent messages arising in other primitives. Halloween crotchik considers security of pseudo-random permutations and pseudo-random functions in the presence of key-dependent messages. Back as Fitzman and Skedraw extended the CPA scheme of Black, Rockaway, and Shrimpton to consider a basic form of authenticated encryption. In this work, we revisit key-dependent messages in the setting of authenticated encryption. But we take a more comprehensive view and we focus on the practical aspects. Why? Because arguably, for symmetric crypto, authenticated encryption is the most important primitive going by the extent of usage. So we want to know what are the issues that arise when we think about key-dependent messages in AE in a practical sense. So let's first take a look at authenticated encryption. There is no KDM here. This is standard authenticated encryption. Now, the first thing to note is that unlike CPA, authenticated encryption not only guarantees the privacy of the message, but also its integrity. And if we look at the model of authenticated encryption considered by Back as Fitzman and Skedraw, which we'll call Classical AE, we see that the encryption scheme takes in a key and a message and a random IV. Now, in practice, authenticated encryption schemes are more complex. Not only do they have to deal with the message, they also have to deal with associated data in the form of a header. This header is also provided as input to the encryption scheme. The interesting thing to note is that the scheme has to guarantee only the integrity of the privacy. Another change is that unlike the Classical AE, in modern schemes, there is no random IV. Instead, there is a non-switch that is provided as input. This non-switch does not have to be random. We'll come back to the non-switch issue in a couple of slides. So if we want to look at authenticated encryption and KDM in practice, this is the form of AE we want to look at. And as I mentioned earlier, authenticated encryption is an important alternative, so there are many standards talking about authenticated encryption schemes in mobile security, in IPsec, et cetera. And these standards consider AE schemes with a nonce and a header in this form. So now if we bring in KDM, what are the issues that we have to handle? As always, the message can depend on the key. This is what KDM is about. But now we also have a header, and the header can also depend on the key. Not just that. The nonce that is given as an input to the encryption scheme does not have to be random. If the nonce is random, we are in one setting. This is the random non-security setting. But there is another setting called universal non-security where the encryption scheme is only guaranteed a nonce that is unique, that is non-repeating. It could be from any source. For example, it could be a counter. Now, it's easy to see that universal non-security is more attractive in practice. It's easier to maintain a counter that is to maintain a source with good randomness or pseudo-random generator. Consequently, the standards that we saw on the previous slides... Sorry. The standards that we saw here actually talk about authenticated encryption in the universal non-setting. Let me just go back there. Okay. So we are starting to see that if we want to look at KDM in authenticated encryption, there are all these things we have to deal with. The answers, messages, headers, et cetera. As a result, we're not looking at one object here, but we are actually looking at many variants. The message and the header could both be key dependent or not. And this already gives rise to four possibilities. And we also have random versus universal answers. So we have to deal with eight possibilities in all eight variants. And the natural question to ask is, can we get secure schemes in all of these variants? Or can we at least... So there is another issue here. So if we cannot get security in some of these schemes, can we at least show that it is not possible to achieve security? For example, can we show attacks that say that whatever scheme is there in a variant, the attack breaks the scheme? So one thing is easy to do here. If the message and the header are both independent of the key, then we fall back to normal authenticated encryption. We know we can achieve this. We have standardized and secure schemes that achieve security in this setting. So let's look at the other variants. Now we have six variants in all. The message can be key dependent. The header can be key remittant. Both of them can be dependent on the key. And the nonce could again be random or universal. So in this work, we ask the question whether it is possible to achieve KDM security in these settings. Our first contribution is a simple and universal... a unified way to deal with all these variants so that we don't have to end up, I mean, redoing some of the proofs and definitions, et cetera. And we show two attacks. Our first attack shows that with universal nonces, it's not possible to get KDM security. Now keep in mind that the standards that we saw all talked about authenticated encryption with universal nonces. So what this means is that none of these standardized authenticated encryption schemes can be extended to key dependent message security. This is already somewhat bad. And the other attack that we show rules out security in the presence of key dependent headers. So what is remaining? The only remaining setting is when the header is independent of the key and the nonce is random and the message still depends on the key. We show that it is possible to achieve KDM security in this setting. Our solution to this problem is a scheme, RHD, randomized hashed and encrypt. RHD actually is not a standalone scheme. It's a transform. It takes a normal authenticated encryption scheme and transforms it into one which is secure in the setting. And it's a very lightweight, simple transform. It has minimal computational overhead and we show that there are no extra elements being added to the ciphertext so the overhead in bandwidth is also zero. It can be thought of as some sort of a software patch that can be applied to a system to make it KDM secure. And we show that RHD is secure in the monocle model. Okay? So in the rest of the talk, I'll be focusing more on the results that I just mentioned, the two attacks on the RHD. So to look at these attacks, I should first define KDM security and before I do that, let's just quickly recall authenticated encryption security. In fact, one of our contributions in this paper is to come up with a simple novel authentication encryption security definition. But I won't go into that in the detail here. I'll just look at this from a very high level so that we can make sense of that attack that we'll describe later. So when we want to describe the security of a scheme, we think of a game between a challenger and an adversary. And in the beginning of the game, the challenger chooses a random bit B and a key K. This is authenticated encryption security so the adversary can make both encryption and non-securities. So when the adversary makes an encryption query, depending on whether this B was chosen to be one or zero, the challenger is going to reply either with real encryptions or random bits. There is one thing to note here of interest. That is, if we are talking about universal non-security, the adversary gets to provide the nonce that will be used for encryption. But if you're talking about random non-security, this is not allowed. The challenger will choose its own nonces randomly. This will play an important role in the attack. Other than that, that adversary can make decryption queries. And if the decryption query corresponds to a valid ciphertext, then the adversary will get back a one, otherwise it will get a zero. This is if the bit B is one. If bit B is zero, then adversary will always get invalid decryption. The aim of the adversary is to find this bit B. If we talk about KDM security, the basic structure of the game remains the same. The only difference is that now encryption queries, rather than taking a message as argument, now have a description of a function, a message-deriving function, phi. And the challenger will evaluate this phi on the key to get the message. Everything else remains the same. Okay, so now let's look at the first attack. Recall that what we're saying here is if the authenticated encryption scheme does not get random nonces, but gets nonces from some arbitrary non-repeating source, then it's not possible to have KDM security. The starting point of our attack is an earlier attack that was presented by BlackRock and Strimton, and their attack was on stateful encryption schemes. So before we dive into the attack, let me just give a high-level idea of what's going on here. The adversary, if you're in the universal non-setting, the adversary gets to provide the nonce. We saw this earlier. So one of the strategies of the adversary could be to embed this nonce in the message-deriving function phi. Recall that phi is evaluated by the challenger on the key. So phi knows both the nonce and the key. In other words, phi can simulate the encryption of random messages. So here's a high-level idea of what adversary could do. The aim of the adversary here is to get just one bit of the key, K of one. And what it's going to do is choose a random nonce, an arbitrary nonce, and another random string S, and embed them both as part of phi's description. And phi's job is to... phi knows the key. Phi is going to be evaluated on the key. So phi's job is to somehow find K one and communicate it back to the adversary. So how can phi do this? The only thing phi can do is output a message, and this message will subsequently get encrypted, and ciphertext will be given to the adversary. So phi does this following thing. Phi just randomly, arbitrarily chooses different messages, tries encrypting them, and checks if the dot product of S and the ciphertext is the same as the bit of the key. Once phi finds such a message, it stops and outputs this message. The challenger now takes this message and encrypts it and gets the same ciphertext that phi got and returns the ciphertext to the adversary. What can the adversary do? It already knows S. It knows that dot write of S and this ciphertext is the same as the first bit of the key. So it can just recover that bit. In fact, the adversary can repeat this for all the bits of the key and recover the key completely. This attack seems to work, but there's one problem. We don't know how long evaluating this, I mean, how long phi will run for. We don't know when phi will find such an M that satisfies the property. So we can fix this. It's easy to fix. The only thing to do is to make sure that phi stops eventually when it realizes that it has gone for too long. So we do this by, you know, putting a bound on the running time of phi, saying that it can only try L times. But L is a parameter that we provide to the adversary. If phi does not find a required message within L times, it's going to just output some arbitrary message. And instead of a dot product, we are now going to look at a family of power independent hash functions. So we can show that this works. I'll not go into the details. We can show that if we choose L to be comparable to the number of bits in the key, it covers the key with a high probability. So let's start for a second and see what we have done here. So this attack is somewhat serious because we are not just distinguishing between b equal to 0 and b equal to 1. We're actually recovering the key. And maybe this attack is artificial, but it still rules out the possibility of getting schemes that are secure with universal answers. We have a similar attack in the paper that shows how in the presence of key-dependent headers, it's not possible to get security. But I'll skip that attack here in test of time. So what do these mean? What do these two negative results mean for us? And we go back to the table of variants that we started off with. We see that whenever we have universal answers, it's no longer possible to get security. And similarly, whenever we have key-dependent headers, again, it is not possible to get security. So the most important takeaway is that standardized schemes require universal answers and we can't get KDM security in these settings. This is rather sad. So what is left to do? The only variant where we can still hope to get secure schemes is with random answers, key-independent headers, and key-dependent messages. And we show that this can be achieved by our scheme, randomized hash and encrypt. So our scheme is actually a transform. It takes an existing authenticated encryption scheme and converts it into a scheme that is secure in the setting we saw earlier. And internally, it uses a hash function. So this is what it looks like. If you look at the new encryption scheme, it takes in a key L, a non-SAR, a header H, and a message M. And from this key L and the non-SAR, it generates a new temporary key K. This is interesting because every time the encryption routine is called, a new key will be generated. And this new key is what is going to be used for encryption. It will be fed to the encryption routine along with the header and the message. Decryption proceeds in a natural manner. Assuming this works, it's easy to validate all the properties we claimed earlier. Minimal computational overhead because the only extra thing we are doing here is making a call to a cryptographic hash function like SHA-1. And these things are notoriously fast in practice. And we ran experiments with CCM for the base authenticated encryption scheme and SHA-1 for the hash function. We found that the overhead due to this whole process was less than 1% when the message was 50 kb or larger. And zero bandwidth overhead because anyway, for authenticated encryption schemes, we need a nonce. And the only thing we are doing here is using the nonce in a different manner. Instead of feeding it to the encryption scheme, we are using the nonce to generate a key. Similarly, simple software changes. A patch that makes a call to a random molecule before actually running the encryption routine. Okay? So that brings me to the end of my talk. Thank you. We have some time for questions. No questions, so let's thank the speaker.