Disk encryption: do we need to preserve length?

Abstract

In the last one and a half decade there has been a lot of activity toward development of cryptographic techniques for disk encryption. It has been almost canonized that an encryption scheme suitable for the application of disk encryption must be length preserving, i.e., it rules out the use of schemes such as authenticated encryption where an authentication tag is also produced as a part of the ciphertext resulting in ciphertexts being longer than the corresponding plaintexts. The notion of a tweakable enciphering scheme (TES) has been formalized as the appropriate primitive for disk encryption, and it has been argued that they provide the maximum security possible for a tagless scheme. On the other hand, TESs are less efficient than some existing authenticated encryption schemes. Also TES cannot provide true authentication as they do not have authentication tags. In this paper, we analyze the possibility of the use of encryption schemes where length expansion is produced for the purpose of disk encryption. On the negative side, we argue that nonce-based authenticated encryption schemes are not appropriate for this application. On the positive side, we demonstrate that deterministic authenticated encryption (DAE) schemes may have more advantages than disadvantages compared to a TES when used for disk encryption. Finally, we propose a new deterministic authenticated encryption scheme called BCTR which is suitable for this purpose. We provide the full specification of BCTR, prove its security and also report an efficient implementation in reconfigurable hardware. Our experiments suggests that BCTR performs significantly better than existing TESs and existing DAE schemes.

Appendix

1.1 Proof of Theorem 1

First we state some useful properties of BRW polynomials without proof. For the proofs, the interested reader is referred to [2, 32].

Property 1

If \(m\ge 3\) and \(t\le m < 2t-1\) then \(\mathsf{BRW}_h(X_1,\ldots ,X_m)\) is a monic polynomial of degree \(2t-1\).

Fig. 4

Games G0 and G1

Property 2

Let \(X=(X_1,X_2,\ldots ,X_m),X^{\prime }=(X^{\prime }_1,X^{\prime }_2,\ldots ,X^{\prime }_m)\in [{ GF}(2^n)]^m\) such that \(X\ne X^{\prime }\). Let \(Y = \mathsf{BRW}_h(X_1,X_2,\ldots ,X_m)\) and \(Y^{\prime } = \mathsf{BRW}_h(X^{\prime }_1,X^{\prime }_2,\ldots ,X^{\prime }_m)\). Then for every fixed \(a \in { GF}(2^n)\)

$$\begin{aligned} \Pr [Y \oplus Y^{\prime } = a] = \frac{(2m-1)}{2^n} \end{aligned}$$

The probability is taken over the random choice of h.

For proving Theorem 1, we also use the following lemma.

Fig. 5

Game G2: \(\mathcal{S}\) and \(\mathcal{R}\) are multisets

Lemma 1

Let \(X=(X_1,X_2,\ldots ,X_m),X^{\prime }=(X^{\prime }_1,X^{\prime }_2,\ldots ,X^{\prime }_m)\in [{ GF}(2^n)]^m\) such that \(X\ne X^{\prime }\). Let \(Y = h\mathsf{BRW}_h(X_1,X_2,\ldots ,X_m)\) and \(Y^{\prime } = h\mathsf{BRW}_h(X^{\prime }_1,X^{\prime }_2,\ldots ,X^{\prime }_m)\). Then for every fixed \(\delta \in { GF}(2^n)\)

$$\begin{aligned} \Pr [Y \oplus Y^{\prime } = \delta ] \le \frac{2m}{2^n}, \end{aligned}$$

The probability is taken over the random choice of h.

The proof easily follows from Property 2 of the BRW polynomials [32].

Proof of Theorem 1

To prove the security of BCTR\([\varPi ]\), we replace the block cipher E in the construction of Fig. 1 by a permutation \(\pi \) chosen uniformly at random from \(\varPi = \mathrm {Perm}(n)\). We call the encryption function of BCTR\([\varPi ]\) as \({{\mathbf {E}}}_{h,\pi }\), where \(h\mathop {\leftarrow }\limits ^{\$}\{0,1\}^n\) is the key for the BRW polynomial. We prove the privacy bound first. We consider the game playing technique. We briefly discuss the games below:

1. 1.

   Game G0: In G0 (shown in Fig. 4), the block cipher is replaced by the random permutation \(\pi \). The permutation \(\pi \) is constructed on the fly keeping record of the domain and range sets as done in the subroutine Ch-\(\pi \) in Fig. 4. Thus, G0 provide the proper encryption oracle to \(\mathcal {A}\). Thus, we have:

   $$\begin{aligned} \Pr \left[ \mathcal {A}^{{{\mathbf {E}}}_{h,\pi }(.,.)}\Rightarrow 1\right] = \Pr [\mathcal {A}^{\text{ G0 }}\Rightarrow 1]. \end{aligned}$$

   (6)
2. 2.

   Game G1: Fig. 4 with the boxed entries removed represents the game G1. In G1, it is not guaranteed that Ch-\(\pi \) behaves like a permutation, but the games G0 and G1 are identical until the bad flag is set. Thus, we have

   $$\begin{aligned} \Pr [\mathcal {A}^{\text{ G0 }}\Rightarrow 1] - \Pr [\mathcal {A}^{\text{ G1 }}\Rightarrow 1] \le \Pr [\mathcal {A}^{\text{ G1 }} \text{ sets } \text{ bad }]. \end{aligned}$$

   (7)

   Note that in G1 the adversary gets random strings as output irrespective of his queries. Hence,

   $$\begin{aligned} \Pr [\mathcal {A}^{\text{ G1 }}\Rightarrow 1] = \Pr [\mathcal {A}^{\$(.,.)}\Rightarrow 1]. \end{aligned}$$

   (8)
3. 3.

   Game G2: In Game G2 (shown in Fig. 5), we do not use the subroutine Ch-\(\pi \) any more but return random strings immediately after the \(\mathcal {A}\) asks a query. Later we keep track of the elements that would have got in the domain and range sets of the permutation \(\pi \) in multisets \(\mathcal{S}\) and \(\mathcal{R}\). We set the bad flag when there is a collision in either \(\mathcal{S}\) or \(\mathcal{R}\). For the adversary, the games G1 and G2 are identical. So,

   $$\begin{aligned} \Pr [\mathcal {A}^{{G1}} \Rightarrow 1] = \Pr [\mathcal {A}^{{G2}} \Rightarrow 1], \end{aligned}$$

   (9)

   and

   $$\begin{aligned} \Pr [\mathcal {A}^{{G1}} \text{ sets } \text{ bad }] = \Pr [\mathcal {A}^{{G2}} \text{ sets } \text{ bad }]. \end{aligned}$$

   (10)

Hence, using Eqs. (6), (7), (8), (9) and (10), we have

$$\begin{aligned} \Pr \left[ \mathcal {A}^{{{\mathbf {E}}}_{h,\pi }(.,.)}\Rightarrow 1\right] - \Pr [A^{\$(.,.)}\Rightarrow 1] \le \Pr [\mathcal {A}^{{G2}} \text{ sets } \text{ bad }]. \end{aligned}$$

According to the definition of the privacy advantage of \(\mathcal {A}\), we have

$$\begin{aligned} \mathbf{Adv}_{{BCTR}[\varPi ]}^{\mathrm{dae-priv}}(\mathcal {A}) \le \Pr [\mathcal {A}^{{G2}} \text{ sets } \text{ bad }] \end{aligned}$$

(11)

Now we need to bound \(\Pr [\mathcal {A}^{{G2}} \text{ sets } \text{ bad }]\). Assuming that \(\mathcal{A}\) makes a total of q queries, the elements in the multisets \(\mathcal{S}\) and \(\mathcal{R}\) after the interaction of \(\mathcal{A}\) with G2 terminates would be

$$\begin{aligned} \mathcal{S}= & {} \{\gamma ^s : 1 \le s \le q\} \cup \nonumber \\&\{\tau ^s \oplus \mathsf{bin}_n(i): 1 \le i \le m, 1 \le s \le q \} \end{aligned}$$

(12)

$$\begin{aligned} \mathcal{R}= & {} \{\tau ^s: 1 \le s \le q\} \cup \nonumber \\&\{ C_i^s \oplus P_i^s: 1 \le i \le m, 1 \le s \le q \}, \end{aligned}$$

(13)

Let \(\mathsf{COLLD}\) be the event that there is a collision in \(\mathcal{S}\) and \(\mathsf{COLLR}\) be the event that there is a collision in \(\mathcal{R}\). Using the facts that \(\gamma ^s = h\mathsf{BRW}_h(P_1^s||P_2^s||\ldots ||P_m^s||T^s)\) and \(\tau ^s, C_i^s\) are uniform random elements of \(\{0,1\}^n\), we have the following:

1. 1.

   For \(1\le s, s'\le q\) and \(s \ne s', \Pr [\gamma ^s = \gamma ^{s'}] \le 2(m+1)/2^n\) (see Lemma 1).

2. 2.

   For \(1\le s, s'\le q, 1\le i,i'\le m\), and \(s \ne s', \Pr [\tau ^{s} \oplus {\mathsf{bin}}_n(i)= \tau ^{s'} \oplus {\mathsf{bin}}_n(i')] \le 1/2^n\), as \(\tau ^s, \tau ^{s'}\) are uniform random elements in \(\{0,1\}^n\).

3. 3.

   For \(1\le s\le q, 1\le i,i'\le m\), and \(i \ne i', \Pr [\tau ^{s} \oplus {\mathsf{bin}}_n(i)= \tau ^{s} \oplus {\mathsf{bin}}_n(i')] =0\).

4. 4.

   For \(1\le s\le q, 1\le i \le m, \Pr [\gamma ^s = \tau ^s \oplus {\mathsf{bin}}_n(i)] = 2(m+1)/2^n\). To see this, note that \(\gamma ^s \oplus \tau ^s \oplus {\mathsf{bin}}_n(i)\) is a nonzero polynomial on h of degree at most \(2(m+1)\) [32].

5. 5.

   For \(1\le s, s'\le q\) and \(s \ne s', \Pr [\tau ^s = \tau ^{s'}] =1/2^n\).

6. 6.

   For \(1\le s\le q, 1\le i, i'\le m\), and \(i \ne i', \Pr [C_i^s \oplus P_i^s =C_{i'}^s \oplus P_{i'}^s] = 1/2^n\).

7. 7.

   For \(1\le s\le q, 1\le i\le m, \Pr [\tau ^s = C_i^s \oplus P_i^s] = 1/2^n\), as \(\tau ^s\) and \(C_i^s\) are uniform random elements in \(\{0,1\}^n\).

Using the above observations, and the union bound we conclude,

$$\begin{aligned} \Pr [\mathsf{COLLD}]\le & {} {q \atopwithdelims ()2}\frac{(2m+2)}{2^n} \,{+}\, {mq \atopwithdelims ()2}\frac{1}{2^n}+ \frac{2mq^2(m\,{+}\,1)}{2^n}\nonumber \\\le & {} \frac{7m^2q^2}{2^n}, \end{aligned}$$

(14)

and

$$\begin{aligned} \Pr [\mathsf{COLLR}]= & {} {(mq + q )\atopwithdelims ()2} \frac{1}{2^n}\nonumber \\\le & {} \frac{2m^2q^2}{2^{n}}. \end{aligned}$$

(15)

Thus, we have

$$\begin{aligned} \Pr [\mathcal {A}^{{G2}} \text{ sets } \text{ bad }]= & {} \Pr [\mathsf{COLLD}] + \Pr [\mathsf{COLLR}] \nonumber \\\le & {} \frac{9m^2q^2}{2^n} \end{aligned}$$

(16)

This completes the proof of the privacy bound.

Proving the authentication bound: To prove the authenticity bound, we assume that \(\mathcal {A}\) makes a total of q queries including the forgery. The first \(q-1\) queries are \((T^1;P^1),(T^2;P^2),\ldots , (T^{q-1};P^{q-1})\).

Finally \(\mathcal {A}\) attempts a forgery \((T^q;C^q||\tau ^q)\).

We describe how the queries of \(\mathcal{A}\) are responded. As in the previous proof, we assume the BCTR construction to be instantiated with \(\pi \) selected randomly from \(\text{ Perm }(n)\). We start with two empty multisets \(\mathsf{Dom}\) and \(\mathsf{Ran}\). In response to the \(s^{th}\) query \((T^s,P^s)\)(\(1\le s \le q-1\)) the following steps are executed:

1. 1.

   A uniform random string \(C^s||\tau ^s\) of \((m+1)n\) bits is returned to \(\mathcal{A}\).

2. 2.

   \(\gamma ^s = h\mathsf{BRW}_h(P^s1,P^s_2,\ldots ,P^s_m,T^s_m)\) is inserted in \(\mathsf{Dom}\) and \(\tau ^s\) is inserted in \(\mathsf{Ran}\).

3. 3.

   For \(1\le i \le m, \tau ^s \oplus \mathsf{bin}_n(i)\) is inserted in \(\mathsf{Dom}\) and \((P^s_i \oplus C^s_i)\) is inserted into \(\mathsf{Ran}\).

Note that this simulation is perfect if there is no collision in the multisets \(\mathsf{Dom}\) and \(\mathsf{Rng}\).

For the final forgery query \(C^q||\tau ^q\), let \(C^q = C^q_1|| C^q_2||\cdots ||C^q_m\), and \(P_i^q = C_i^q \oplus \pi (\tau ^q \oplus \mathsf{bin}_n(i)\), for \(1\le i \le m\). Let \(\gamma ^q = h\mathsf{BRW}_h(P_1^q,P_2^q,\ldots ,P_m^q)\). The adversary is successful in its forgery if \(\pi (\gamma ^q) = \tau ^q\). If \(\gamma ^q\) is distinct from all the elements in \(\mathsf{Dom}\) and \(\tau ^q\) is also distinct from all elements in \(\mathsf{Rng}\), then \(\Pr [\pi (\gamma ^q) = \tau ^q] = 1/2^n\). If \(\gamma ^q\) is distinct from all elements in \(\mathsf{Dom}\) and \(\tau ^q\) is in \(\mathsf{Rng}\), then \(\Pr [\pi (\gamma ^q) = \tau ^q] = 0\).

Let \(\mathsf{COLL}\) be the event that there is a collision in the set \(\mathsf{Dom} \cup \{ \gamma ^q\}\) or \(\mathsf{Rng}\), then we have

$$\begin{aligned} \mathbf{Adv}_{{BCTR}[\varPi ]}^{\mathrm{dae-auth}}(\mathcal {A})= & {} \Pr [\tau ^q = \pi (\gamma ^q)] \\= & {} \Pr [\tau ^q = \pi (\gamma ^q)|\mathsf{COLL}]\Pr [\mathsf{COLL}]\\&+\Pr [\tau ^q = \pi (\gamma ^q)|\overline{\mathsf{COLL}}]\Pr [\overline{\mathsf{COLL}}]\\\le & {} \Pr [\tau ^q = \pi (\gamma ^q)|\overline{\mathsf{COLL}}] + \Pr [\mathsf{COLL}]\\\le & {} \frac{1}{2^n} + \Pr [\mathsf{COLL}]. \end{aligned}$$

It is easy to verify that \(\Pr [\mathsf{COL}] \le \Pr [\mathsf{COLLD}] + \Pr [\mathsf{COLLR}]\), where \(\mathsf{COLLD}\) and \(\mathsf{COLLR}\) are defined in the proof for privacy. Thus, using Eqs. (14), (15), we have

$$\begin{aligned} \mathbf{Adv}_{{BCTR}[\varPi ]}^{\mathrm{dae-auth}}(\mathcal {A}) \le \frac{1}{2^n} + \frac{9m^2q^2}{2^n}, \end{aligned}$$

as desired.\(\square \)