Implicit Key-Stretching Security of Encryption Schemes

Abstract

When keys are small or parts thereof leak, key-recovery attacks on symmetric-key primitives still pose a plausible threat. Key stretching is one well-known means to throttle potential adversaries, where stretching a key by s bit means that a key-recovery attack has to perform \(\min \{2^{k-1}, 2^{k-\lambda +s-1}\}\) operations on average for \(\lambda \) bit information leakage. However, typical explicit key stretching requires also the defender to pay for the stretch operations.

The usual assumption is that a surrounding encryption scheme does not increase the key-recovery security of its internal primitives. This work challenges this assumption by considering the structure of popular encryption schemes. In particular, message lengths may be non-negligible in settings such as full-disk encryption or archiving, where the adversary can obtain only long messages. Surprisingly, the question of whether a surrounding encryption scheme has only a negligible impact on key recovery seems to have remained uninvestigated. Therefore, it is interesting to study if “implicit” key stretching may come for free as an inherent property of popular schemes.

We define an encryption scheme as “fully key-stretching-secure” if an adversary that sees plaintext-ciphertext pairs of at least m blocks each must perform at least m primitive calls for testing a key candidate. Using a similar definition of affine modes as Chakraborti et al. in JMC 2018, we systematically explore common encryption schemes with respect to their key-stretching security. In total, we consider five classes of (1) online, (2) SIV-like, (3) parallelizable two-pass (EME-like), (4) sequential two-pass (CMC-like), and (5) three-pass (HCTR-like) encryption schemes. By modeling them as affine modes, we can identify all considered encryption schemes key-stretching-insecure, i.e., one needs only O(1) primitive calls for testing a key candidate. However, for the insecure schemes from types (4) and (5), namely for EME-, CMC-, and HCTR-like schemes, we propose minor tweaks to ensure full key-stretching security.

Appendices

A Encryption-Model Visualization

Fig. 5.

Models for single-, two-, and three-pass modes. Arrows without an input indicate that our models are restricted to plausible variants.

B Decryption Representations

For single-pass modes, we define the decryption model as

$$\begin{aligned} \begin{bmatrix} V \\ M \end{bmatrix}&= \begin{bmatrix} \textbf{D}_1^M &{} \textbf{D}_1^V &{} \textbf{D}_1^L \\ \textbf{D}_2^M &{} \textbf{D}_2^V &{} \textbf{D}_2^L \end{bmatrix} \cdot \begin{bmatrix} C&U&L \end{bmatrix}^{\top }\,. \end{aligned}$$

For two-pass schemes, the decryption can be represented as

$$\begin{aligned} \begin{bmatrix} X \\ V \\ M \\ \end{bmatrix}&= \begin{bmatrix} \textbf{D}_1^C &{} \textbf{D}_1^W &{} \textbf{0} &{} \textbf{0} &{} \textbf{D}_1^L \\ \textbf{D}_2^C &{} \textbf{D}_2^W &{} \textbf{0} &{} \textbf{0} &{} \textbf{D}_2^L \\ \textbf{0} &{} \textbf{0} &{} \textbf{D}_3^V &{} \textbf{D}_3^U &{} \textbf{D}_3^L \\ \end{bmatrix} \cdot \begin{bmatrix} C&W&V&U&L \end{bmatrix}^{\top }\,. \end{aligned}$$

For three passes, the decryption is represented as

$$\begin{aligned} \begin{bmatrix} Z \\ X \\ V \\ M \\ \end{bmatrix}&= \begin{bmatrix} \textbf{D}_1^C &{} \textbf{D}_1^Y &{} \textbf{0} &{} \textbf{0} &{} \textbf{0} &{} \textbf{0} &{} \textbf{D}_1^L \\ \textbf{D}_2^C &{} \textbf{D}_2^Y &{} \textbf{0} &{} \textbf{0} &{} \textbf{0} &{} \textbf{0} &{} \textbf{D}_2^L \\ \textbf{0} &{} \textbf{0} &{} \textbf{D}_3^X &{} \textbf{D}_3^W &{} \textbf{0} &{} \textbf{D}_3^U &{} \textbf{D}_3^L \\ \textbf{0} &{} \textbf{0} &{} \textbf{0} &{} \textbf{0} &{} \textbf{D}_4^Y &{} \textbf{D}_4^U &{} \textbf{D}_4^L \\ \end{bmatrix} \cdot \begin{bmatrix} C&Y&X&W&V U&L \end{bmatrix}^{\top }\,. \end{aligned}$$