RFC 8645
Re-keying Mechanisms for Symmetric Keys
Pages: 69
Informational
Informational
Part 2 of 3 – Pages 20 to 43
6. Internal Re-keying Mechanisms
This section presents an approach to increasing the key lifetime by using a transformation of a data-processing key (section key) during each separate message processing. Each message is processed starting with the same key (the first section key), and each section key is updated after processing N bits of the message (section). This section provides internal re-keying mechanisms called ACPKM (Advanced Cryptographic Prolongation of Key Material) and ACPKM- Master that do not use a master key and use a master key, respectively. Such mechanisms are integrated into the base modes of operation and actually form new modes of operation. Therefore, they are called "internal re-keying" mechanisms in this document. Internal re-keying mechanisms are recommended to be used in protocols that process large single messages (e.g., CMS messages), since the maximum gain in increasing the key lifetime is achieved by increasing the length of a message, while it provides almost no increase in the number of messages that can be processed with one initial key. Internal re-keying increases the key lifetime through the following approach. Suppose protocol P uses some base mode of operation. Let L1 and L2 be a side channel and combinatorial limitations, respectively, and for some fixed number of messages q, let m1, m2 be the lengths of messages that can be safely processed with a single initial key K according to these limitations. Thus, the approach without re-keying (analogous to Section 5) yields a final key lifetime restriction equal to L1, and only q messages of the length m1 can be safely processed; see Figure 7.
K | v ^ +----------------+------------------------------------+ | |==============L1| L2| | |================| | q |================| | | |================| | | |================| | v +----------------+------------------------------------+ <-------m1-------> <----------------------------m2-----------------------> Figure 7: Basic Principles of Message Processing without Internal Re-keying Suppose that the safety margin for the protocol P is fixed and the internal re-keying approach is applied to the base mode of operation. Suppose further that every message is processed with a section key, which is transformed after processing N bits of data, where N is a parameter. If q * N does not exceed L1, then the side-channel limitation L1 goes off, and the resulting key lifetime limitation of the initial key K can be calculated on the basis of a new combinatorial limitation L2'. The security of the mode of operation that uses internal re-keying increases when compared to the base mode of operation without re-keying (thus, L2 < L2'). Hence, as displayed in Figure 8, the resulting key lifetime limitation if using internal re-keying can be increased up to L2'. K-----> K^1-------------> K^2 -----------> . . . | | v v ^ +---------------+---------------+------------------+--...--+ | |=============L1|=============L1|====== L2| L2'| | |===============|===============|====== | | q |===============|===============|====== . . . | | | |===============|===============|====== | | | |===============|===============|====== | | v +---------------+---------------+------------------+--...--+ <-------N-------> Figure 8: Basic Principles of Message Processing with Internal Re-keying Note: The key transformation process is depicted in a simplified form. A specific approach (ACPKM and ACPKM-Master re-keying mechanisms) is described below.
Since the performance of encryption can slightly decrease for rather small values of N, the maximum possible value should be selected for parameter N for a particular protocol in order to provide the necessary key lifetime for the considered security models. Consider an example. Suppose L1 = 128 MB and L2 = 10 TB. Let the message size in the protocol be large/unlimited (which may exhaust the whole key lifetime L2). The most restrictive resulting key lifetime limitation is equal to 128 MB. Thus, there is a need to put a limit on the maximum message size m_max. For example, if m_max = 32 MB, it may happen that the renegotiation of initial key K would be required after processing only four messages. If an internal re-keying mechanism with section size N = 1 MB is used, more than L1 / N = 128 MB / 1 MB = 128 messages can be processed before the renegotiation of initial key K (instead of four messages when an internal re-keying mechanism is not used). Note that only one section of each message is processed with the section key K^i, and, consequently, the key lifetime limitation L1 goes off. Hence, the resulting key lifetime limitation L2' can be set to more than 10 TB (in cases when a single large message is processed using the initial key K).6.1. Methods of Key Lifetime Control
Suppose L is an amount of data that can be safely processed with one section key and N is a section size (fixed parameter). Suppose M^{i}_1 is the first section of message M^{i}, i = 1, ... , q (see Figures 9 and 10); the parameter q can then be calculated in accordance with one of the following two approaches: o Explicit approach: q_i is such that |M^{1}_1| + ... + |M^{q}_1| <= L, |M^{1}_1| + ... + |M^{q+1}_1| > L This approach allows use of the section key K^i in an almost optimal way, but it can be applied only when messages cannot be lost or reordered (e.g., TLS records). o Implicit approach: q = L / N. The amount of data processed with one section key K^i is calculated under the assumption that the length of every message is equal to or greater than section size N and thus can be considerably less than the key lifetime limitation L. On the other hand, this approach can be applied when messages may be lost or reordered (e.g., DTLS records).
6.2. Constructions that Do Not Require a Master Key
This section describes the block cipher modes that use the ACPKM re-keying mechanism, which does not use a master key; an initial key is used directly for the data encryption.6.2.1. ACPKM Re-keying Mechanisms
This section defines a periodical key transformation without a master key, which is called the ACPKM re-keying mechanism. This mechanism can be applied to one of the base encryption modes (CTR and GCM block cipher modes) to get an extension of this encryption mode that uses periodical key transformation without a master key. This extension can be considered as a new encryption mode. An additional parameter that defines the functioning of base encryption modes with the ACPKM re-keying mechanism is the section size N. The value of N is measured in bits and is fixed within a specific protocol based on the requirements of the system capacity and the key lifetime. The section size N MUST be divisible by the block size n. The main idea behind internal re-keying without a master key is presented in Figure 9: Section size = const = N, maximum message size = m_max. ____________________________________________________________________ ACPKM ACPKM ACPKM K^1 = K ---> K^2 ---...-> K^{l_max-1} ----> K^{l_max} | | | | | | | | v v v v M^{1} |==========|==========| ... |==========|=======: | M^{2} |==========|==========| ... |=== | : | . . . . . . : : : : : : : : M^{q} |==========|==========| ... |==========|===== : | section : <----------> m_max N bit ___________________________________________________________________ l_max = ceil(m_max/N). Figure 9: Internal Re-keying without a Master Key
During the processing of the input message M with the length m in
some encryption mode that uses the ACPKM key transformation of the
initial key K, the message is divided into l = ceil(m / N) sections
(denoted as M = M_1 | M_2 | ... | M_l, where M_i is in V_N for i in
{1, 2, ... , l - 1} and M_l is in V_r, r <= N). The first section of
each message is processed with the section key K^1 = K. To process
the (i + 1)-th section of each message, the section key K^{i+1} is
calculated using the ACPKM transformation as follows:
K^{i+1} = ACPKM(K^i) = MSB_k(E_{K^i}(D_1) | ... | E_{K^i}(D_J)),
where J = ceil(k/n) and D_1, D_2, ... , D_J are in V_n and are
calculated as follows:
D_1 | D_2 | ... | D_J = MSB_{J * n}(D),
where D is the following constant in V_{1024}:
D = ( 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87
| 88 | 89 | 8a | 8b | 8c | 8d | 8e | 8f
| 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97
| 98 | 99 | 9a | 9b | 9c | 9d | 9e | 9f
| a0 | a1 | a2 | a3 | a4 | a5 | a6 | a7
| a8 | a9 | aa | ab | ac | ad | ae | af
| b0 | b1 | b2 | b3 | b4 | b5 | b6 | b7
| b8 | b9 | ba | bb | bc | bd | be | bf
| c0 | c1 | c2 | c3 | c4 | c5 | c6 | c7
| c8 | c9 | ca | cb | cc | cd | ce | cf
| d0 | d1 | d2 | d3 | d4 | d5 | d6 | d7
| d8 | d9 | da | db | dc | dd | de | df
| e0 | e1 | e2 | e3 | e4 | e5 | e6 | e7
| e8 | e9 | ea | eb | ec | ed | ee | ef
| f0 | f1 | f2 | f3 | f4 | f5 | f6 | f7
| f8 | f9 | fa | fb | fc | fd | fe | ff)
Note: The constant D is such that D_1, ... , D_J are pairwise
different for any allowed n and k values.
Note: The highest bit of each octet of the constant D is equal to 1.
This condition is important as, in conjunction with a certain mode
message length limitation, it allows prevention of collisions of
block cipher permutation inputs in cases with key transformation and
message processing (for more details, see Section 4.4 of [AAOS2017]).
6.2.2. CTR-ACPKM Encryption Mode
This section defines a CTR-ACPKM encryption mode that uses the ACPKM internal re-keying mechanism for the periodical key transformation. The CTR-ACPKM mode can be considered as the base encryption mode CTR (see [MODES]) extended by the ACPKM re-keying mechanism. The CTR-ACPKM encryption mode can be used with the following parameters: o 64 <= n <= 512. o 128 <= k <= 512. o The number c of bits in a specific part of the block to be incremented is such that 32 <= c <= 3 / 4 n, where c is a multiple of 8. o The maximum message size m_max = n * 2^{c-1}. The CTR-ACPKM mode encryption and decryption procedures are defined as follows: +----------------------------------------------------------------+ | CTR-ACPKM-Encrypt(N, K, ICN, P) | |----------------------------------------------------------------| | Input: | | - section size N, | | - initial key K, | | - initial counter nonce ICN in V_{n-c}, | | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | | Output: | | - ciphertext C. | |----------------------------------------------------------------| | 1. CTR_1 = ICN | 0^c | | 2. For j = 2, 3, ... , b do | | CTR_{j} = Inc_c(CTR_{j-1}) | | 3. K^1 = K | | 4. For i = 2, 3, ... , ceil(|P| / N) | | K^i = ACPKM(K^{i-1}) | | 5. For j = 1, 2, ... , b do | | i = ceil(j * n / N), | | G_j = E_{K^i}(CTR_j) | | 6. C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | | 7. Return C | +----------------------------------------------------------------+
+----------------------------------------------------------------+
| CTR-ACPKM-Decrypt(N, K, ICN, C) |
|----------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - initial counter nonce ICN in V_{n-c}, |
| - ciphertext C = C_1 | ... | C_b, |C| <= m_max. |
| Output: |
| - plaintext P. |
|----------------------------------------------------------------|
| 1. P = CTR-ACPKM-Encrypt(N, K, ICN, C) |
| 2. Return P |
+----------------------------------------------------------------+
The initial counter nonce (ICN) value for each message that is
encrypted under the given initial key K must be chosen in a unique
manner.
6.2.3. GCM-ACPKM Authenticated Encryption Mode
This section defines the GCM-ACPKM authenticated encryption mode that
uses the ACPKM internal re-keying mechanism for the periodical key
transformation.
The GCM-ACPKM mode can be considered as the base authenticated
encryption mode GCM (see [GCM]) extended by the ACPKM re-keying
mechanism.
The GCM-ACPKM authenticated encryption mode can be used with the
following parameters:
o n in {128, 256}.
o 128 <= k <= 512.
o The number c of bits in a specific part of the block to be
incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple
of 8.
o Authentication tag length t.
o The maximum message size m_max = min{n * (2^{c-1} - 2), 2^{n/2} -
1}.
The GCM-ACPKM mode encryption and decryption procedures are defined
as follows:
+-------------------------------------------------------------------+
| GHASH(X, H) |
|-------------------------------------------------------------------|
| Input: |
| - bit string X = X_1 | ... | X_m, X_1, ... , X_m in V_n. |
| Output: |
| - block GHASH(X, H) in V_n. |
|-------------------------------------------------------------------|
| 1. Y_0 = 0^n |
| 2. For i = 1, ... , m do |
| Y_i = (Y_{i-1} (xor) X_i) * H |
| 3. Return Y_m |
+-------------------------------------------------------------------+
+-------------------------------------------------------------------+
| GCTR(N, K, ICB, X) |
|-------------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - initial counter block ICB, |
| - X = X_1 | ... | X_b. |
| Output: |
| - Y in V_{|X|}. |
|-------------------------------------------------------------------|
| 1. If X in V_0, then return Y, where Y in V_0 |
| 2. GCTR_1 = ICB |
| 3. For i = 2, ... , b do |
| GCTR_i = Inc_c(GCTR_{i-1}) |
| 4. K^1 = K |
| 5. For j = 2, ... , ceil(|X| / N) |
| K^j = ACPKM(K^{j-1}) |
| 6. For i = 1, ... , b do |
| j = ceil(i * n / N), |
| G_i = E_{K_j}(GCTR_i) |
| 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) |
| 8. Return Y |
+-------------------------------------------------------------------+
+-------------------------------------------------------------------+
| GCM-ACPKM-Encrypt(N, K, ICN, P, A) |
|-------------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - initial counter nonce ICN in V_{n-c}, |
| - plaintext P = P_1 | ... | P_b, |P| <= m_max, |
| - additional authenticated data A. |
| Output: |
| - ciphertext C, |
| - authentication tag T. |
|-------------------------------------------------------------------|
| 1. H = E_{K}(0^n) |
| 2. ICB_0 = ICN | 0^{c-1} | 1 |
| 3. C = GCTR(N, K, Inc_c(ICB_0), P) |
| 4. u = n * ceil(|C| / n) - |C| |
| v = n * ceil(|A| / n) - |A| |
| 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | |
| | Vec_{n/2}(|C|), H) |
| 6. T = MSB_t(E_{K}(ICB_0) (xor) S) |
| 7. Return C | T |
+-------------------------------------------------------------------+
+-------------------------------------------------------------------+
| GCM-ACPKM-Decrypt(N, K, ICN, A, C, T) |
|-------------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - initial counter block ICN, |
| - additional authenticated data A, |
| - ciphertext C = C_1 | ... | C_b, |C| <= m_max, |
| - authentication tag T. |
| Output: |
| - plaintext P or FAIL. |
|-------------------------------------------------------------------|
| 1. H = E_{K}(0^n) |
| 2. ICB_0 = ICN | 0^{c-1} | 1 |
| 3. P = GCTR(N, K, Inc_c(ICB_0), C) |
| 4. u = n * ceil(|C| / n) - |C| |
| v = n * ceil(|A| / n) - |A| |
| 5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | |
| | Vec_{n/2}(|C|), H) |
| 6. T' = MSB_t(E_{K}(ICB_0) (xor) S) |
| 7. If T = T', then return P; else return FAIL |
+-------------------------------------------------------------------+
The * operation on (pairs of) the 2^n possible blocks corresponds to the multiplication operation for the binary Galois (finite) field of 2^n elements defined by the polynomial f as follows (analogous to [GCM]): n = 128: f = a^128 + a^7 + a^2 + a^1 + 1, n = 256: f = a^256 + a^10 + a^5 + a^2 + 1. The initial counter nonce ICN value for each message that is encrypted under the given initial key K must be chosen in a unique manner. The key for computing values E_{K}(ICB_0) and H is not updated and is equal to the initial key K.6.3. Constructions that Require a Master Key
This section describes the block cipher modes that use the ACPKM- Master re-keying mechanism, which use the initial key K as a master key, so K is never used directly for data processing but is used for key derivation.6.3.1. ACPKM-Master Key Derivation from the Master Key
This section defines periodical key transformation with a master key, which is called the ACPKM-Master re-keying mechanism. This mechanism can be applied to one of the base modes of operation (CTR, GCM, CBC, CFB, OMAC modes) for getting an extension that uses periodical key transformation with a master key. This extension can be considered as a new mode of operation. Additional parameters that define the functioning of modes of operation that use the ACPKM-Master re-keying mechanism are the section size N, the change frequency T* of the master keys K*_1, K*_2, ... (see Figure 10), and the size d of the section key material. The values of N and T* are measured in bits and are fixed within a specific protocol based on the requirements of the system capacity and the key lifetime. The section size N MUST be divisible by the block size n. The master key frequency T* MUST be divisible by d and by n.
The main idea behind internal re-keying with a master key is presented in Figure 10: Master key frequency T*, section size N, maximum message size = m_max. _____________________________________________________________________ ACPKM ACPKM K*_1 = K----------> K*_2 ---------...-----> K*_l_max ___|___ ___|___ ___|___ | | | | | | v ... v v ... v v ... v K[1] K[t] K[t+1] K[2*t] K[(l_max-1)t+1] K[l_max*t] | | | | | | | | | | | | v v v v v v M^{1}||======|...|======||======|...|======||...||======|...|== : || M^{2}||======|...|======||======|...|======||...||======|...|====: || ... || | | || | | || || | | : || M^{q}||======|...|======||==== |...| ||...|| |...| : || section : <------> : N bit m_max _____________________________________________________________________ |K[i]| = d, t = T* / d, l_max = ceil(m_max / (N * t)). Figure 10: Internal Re-keying with a Master Key During the processing of the input message M with the length m in some mode of operation that uses ACPKM-Master key transformation with the initial key K and the master key frequency T*, the message M is divided into l = ceil(m / N) sections (denoted as M = M_1 | M_2 | ... | M_l, where M_i is in V_N for i in {1, 2, ... , l - 1} and M_l is in V_r, r <= N). The j-th section of each message is processed with the key material K[j], j in {1, ... , l}, |K[j]| = d, which is calculated with the ACPKM-Master algorithm as follows: K[1] | ... | K[l] = ACPKM-Master(T*, K, d, l) = CTR-ACPKM-Encrypt (T*, K, 1^{n/2}, 0^{d*l}). Note: The parameters d and l MUST be such that d * l <= n * 2^{n/2-1}.
6.3.2. CTR-ACPKM-Master Encryption Mode
This section defines a CTR-ACPKM-Master encryption mode that uses the ACPKM-Master internal re-keying mechanism for the periodical key transformation. The CTR-ACPKM-Master encryption mode can be considered as the base encryption mode CTR (see [MODES]) extended by the ACPKM-Master re-keying mechanism. The CTR-ACPKM-Master encryption mode can be used with the following parameters: o 64 <= n <= 512. o 128 <= k <= 512. o The number c of bits in a specific part of the block to be incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8. o The maximum message size m_max = min{N * (n * 2^{n/2-1} / k), n * 2^c}. The key material K[j] that is used for one-section processing is equal to K^j, where |K^j| = k bits.
The CTR-ACPKM-Master mode encryption and decryption procedures are
defined as follows:
+----------------------------------------------------------------+
| CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, P) |
|----------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - master key frequency T*, |
| - initial counter nonce ICN in V_{n-c}, |
| - plaintext P = P_1 | ... | P_b, |P| <= m_max. |
| Output: |
| - ciphertext C. |
|----------------------------------------------------------------|
| 1. CTR_1 = ICN | 0^c |
| 2. For j = 2, 3, ... , b do |
| CTR_{j} = Inc_c(CTR_{j-1}) |
| 3. l = ceil(|P| / N) |
| 4. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) |
| 5. For j = 1, 2, ... , b do |
| i = ceil(j * n / N), |
| G_j = E_{K^i}(CTR_j) |
| 6. C = P (xor) MSB_{|P|}(G_1 | ... |G_b) |
| 7. Return C |
|----------------------------------------------------------------+
+----------------------------------------------------------------+
| CTR-ACPKM-Master-Decrypt(N, K, T*, ICN, C) |
|----------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - master key frequency T*, |
| - initial counter nonce ICN in V_{n-c}, |
| - ciphertext C = C_1 | ... | C_b, |C| <= m_max. |
| Output: |
| - plaintext P. |
|----------------------------------------------------------------|
| 1. P = CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, C) |
| 1. Return P |
+----------------------------------------------------------------+
The initial counter nonce ICN value for each message that is
encrypted under the given initial key must be chosen in a unique
manner.
6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode
This section defines a GCM-ACPKM-Master authenticated encryption mode that uses the ACPKM-Master internal re-keying mechanism for the periodical key transformation. The GCM-ACPKM-Master authenticated encryption mode can be considered as the base authenticated encryption mode GCM (see [GCM]) extended by the ACPKM-Master re-keying mechanism. The GCM-ACPKM-Master authenticated encryption mode can be used with the following parameters: o n in {128, 256}. o 128 <= k <= 512. o The number c of bits in a specific part of the block to be incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple of 8. o authentication tag length t. o the maximum message size m_max = min{N * ( n * 2^{n/2-1} / k), n * (2^c - 2), 2^{n/2} - 1}. The key material K[j] that is used for the j-th section processing is equal to K^j, |K^j| = k bits. The GCM-ACPKM-Master mode encryption and decryption procedures are defined as follows: +-------------------------------------------------------------------+ | GHASH(X, H) | |-------------------------------------------------------------------| | Input: | | - bit string X = X_1 | ... | X_m, X_i in V_n for i in {1, ... ,m}| | Output: | | - block GHASH(X, H) in V_n | |-------------------------------------------------------------------| | 1. Y_0 = 0^n | | 2. For i = 1, ... , m do | | Y_i = (Y_{i-1} (xor) X_i) * H | | 3. Return Y_m | +-------------------------------------------------------------------+
+-------------------------------------------------------------------+
| GCTR(N, K, T*, ICB, X) |
|-------------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - master key frequency T*, |
| - initial counter block ICB, |
| - X = X_1 | ... | X_b. |
| Output: |
| - Y in V_{|X|}. |
|-------------------------------------------------------------------|
| 1. If X in V_0, then return Y, where Y in V_0 |
| 2. GCTR_1 = ICB |
| 3. For i = 2, ... , b do |
| GCTR_i = Inc_c(GCTR_{i-1}) |
| 4. l = ceil(|X| / N) |
| 5. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) |
| 6. For j = 1, ... , b do |
| i = ceil(j * n / N), |
| G_j = E_{K^i}(GCTR_j) |
| 7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b) |
| 8. Return Y |
+-------------------------------------------------------------------+
+-------------------------------------------------------------------+
| GCM-ACPKM-Master-Encrypt(N, K, T*, ICN, P, A) |
|-------------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - master key frequency T*, |
| - initial counter nonce ICN in V_{n-c}, |
| - plaintext P = P_1 | ... | P_b, |P| <= m_max. |
| - additional authenticated data A. |
| Output: |
| - ciphertext C, |
| - authentication tag T. |
|-------------------------------------------------------------------|
| 1. K^1 = ACPKM-Master(T*, K, k, 1) |
| 2. H = E_{K^1}(0^n) |
| 3. ICB_0 = ICN | 0^{c-1} | 1 |
| 4. C = GCTR(N, K, T*, Inc_c(ICB_0), P) |
| 5. u = n * ceil(|C| / n) - |C| |
| v = n * ceil(|A| / n) - |A| |
| 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | |
| | Vec_{n/2}(|C|), H) |
| 7. T = MSB_t(E_{K^1}(ICB_0) (xor) S) |
| 8. Return C | T |
+-------------------------------------------------------------------+
+-------------------------------------------------------------------+
| GCM-ACPKM-Master-Decrypt(N, K, T*, ICN, A, C, T) |
|-------------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - master key frequency T*, |
| - initial counter nonce ICN in V_{n-c}, |
| - additional authenticated data A. |
| - ciphertext C = C_1 | ... | C_b, |C| <= m_max, |
| - authentication tag T. |
| Output: |
| - plaintext P or FAIL. |
|-------------------------------------------------------------------|
| 1. K^1 = ACPKM-Master(T*, K, k, 1) |
| 2. H = E_{K^1}(0^n) |
| 3. ICB_0 = ICN | 0^{c-1} | 1 |
| 4. P = GCTR(N, K, T*, Inc_c(ICB_0), C) |
| 5. u = n * ceil(|C| / n) - |C| |
| v = n * ceil(|A| / n) - |A| |
| 6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) | |
| | Vec_{n/2}(|C|), H) |
| 7. T' = MSB_t(E_{K^1}(ICB_0) (xor) S) |
| 8. If T = T', then return P; else return FAIL. |
+-------------------------------------------------------------------+
The * operation on (pairs of) the 2^n possible blocks corresponds to
the multiplication operation for the binary Galois (finite) field of
2^n elements defined by the polynomial f as follows (by analogy with
[GCM]):
n = 128: f = a^128 + a^7 + a^2 + a^1 + 1,
n = 256: f = a^256 + a^10 + a^5 + a^2 + 1.
The initial counter nonce ICN value for each message that is
encrypted under the given initial key must be chosen in a unique
manner.
6.3.4. CBC-ACPKM-Master Encryption Mode
This section defines a CBC-ACPKM-Master encryption mode that uses the ACPKM-Master internal re-keying mechanism for the periodical key transformation. The CBC-ACPKM-Master encryption mode can be considered as the base encryption mode CBC (see [MODES]) extended by the ACPKM-Master re-keying mechanism. The CBC-ACPKM-Master encryption mode can be used with the following parameters: o 64 <= n <= 512. o 128 <= k <= 512. o The maximum message size m_max = N * (n * 2^{n/2-1} / k). In the specification of the CBC-ACPKM-Master mode, the plaintext and ciphertext must be a sequence of one or more complete data blocks. If the data string to be encrypted does not initially satisfy this property, then it MUST be padded to form complete data blocks. The padding methods are out of the scope of this document. An example of a padding method can be found in Appendix A of [MODES]. The key material K[j] that is used for the j-th section processing is equal to K^j, |K^j| = k bits. We use D_{K} to denote the decryption function that is a permutation inverse to E_{K}.
The CBC-ACPKM-Master mode encryption and decryption procedures are
defined as follows:
+----------------------------------------------------------------+
| CBC-ACPKM-Master-Encrypt(N, K, T*, IV, P) |
|----------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - master key frequency T*, |
| - initialization vector IV in V_n, |
| - plaintext P = P_1 | ... | P_b, |P_b| = n, |P| <= m_max. |
| Output: |
| - ciphertext C. |
|----------------------------------------------------------------|
| 1. l = ceil(|P| / N) |
| 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) |
| 3. C_0 = IV |
| 4. For j = 1, 2, ... , b do |
| i = ceil(j * n / N), |
| C_j = E_{K^i}(P_j (xor) C_{j-1}) |
| 5. Return C = C_1 | ... | C_b |
|----------------------------------------------------------------+
+----------------------------------------------------------------+
| CBC-ACPKM-Master-Decrypt(N, K, T*, IV, C) |
|----------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - master key frequency T*, |
| - initialization vector IV in V_n, |
| - ciphertext C = C_1 | ... | C_b, |C_b| = n, |C| <= m_max. |
| Output: |
| - plaintext P. |
|----------------------------------------------------------------|
| 1. l = ceil(|C| / N) |
| 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) |
| 3. C_0 = IV |
| 4. For j = 1, 2, ... , b do |
| i = ceil(j * n / N) |
| P_j = D_{K^i}(C_j) (xor) C_{j-1} |
| 5. Return P = P_1 | ... | P_b |
+----------------------------------------------------------------+
The initialization vector IV for any particular execution of the
encryption process must be unpredictable.
6.3.5. CFB-ACPKM-Master Encryption Mode
This section defines a CFB-ACPKM-Master encryption mode that uses the ACPKM-Master internal re-keying mechanism for the periodical key transformation. The CFB-ACPKM-Master encryption mode can be considered as the base encryption mode CFB (see [MODES]) extended by the ACPKM-Master re-keying mechanism. The CFB-ACPKM-Master encryption mode can be used with the following parameters: o 64 <= n <= 512. o 128 <= k <= 512. o The maximum message size m_max = N * (n * 2^{n/2-1} / k). The key material K[j] that is used for the j-th section processing is equal to K^j, |K^j| = k bits. The CFB-ACPKM-Master mode encryption and decryption procedures are defined as follows: +-------------------------------------------------------------+ | CFB-ACPKM-Master-Encrypt(N, K, T*, IV, P) | |-------------------------------------------------------------| | Input: | | - section size N, | | - initial key K, | | - master key frequency T*, | | - initialization vector IV in V_n, | | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | | Output: | | - ciphertext C. | |-------------------------------------------------------------| | 1. l = ceil(|P| / N) | | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | | 3. C_0 = IV | | 4. For j = 1, 2, ... , b - 1 do | | i = ceil(j * n / N), | | C_j = E_{K^i}(C_{j-1}) (xor) P_j | | 5. C_b = MSB_{|P_b|}(E_{K^l}(C_{b-1})) (xor) P_b | | 6. Return C = C_1 | ... | C_b | |-------------------------------------------------------------+
+-------------------------------------------------------------+
| CFB-ACPKM-Master-Decrypt(N, K, T*, IV, C) |
|-------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - master key frequency T*, |
| - initialization vector IV in V_n, |
| - ciphertext C = C_1 | ... | C_b, |C| <= m_max. |
| Output: |
| - plaintext P. |
|-------------------------------------------------------------|
| 1. l = ceil(|C| / N) |
| 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) |
| 3. C_0 = IV |
| 4. For j = 1, 2, ... , b - 1 do |
| i = ceil(j * n / N), |
| P_j = E_{K^i}(C_{j-1}) (xor) C_j |
| 5. P_b = MSB_{|C_b|}(E_{K^l}(C_{b-1})) (xor) C_b |
| 6. Return P = P_1 | ... | P_b |
+-------------------------------------------------------------+
The initialization vector IV for any particular execution of the
encryption process must be unpredictable.
6.3.6. OMAC-ACPKM-Master Authentication Mode
This section defines an OMAC-ACPKM-Master message authentication code
calculation mode that uses the ACPKM-Master internal re-keying
mechanism for the periodical key transformation.
The OMAC-ACPKM-Master mode can be considered as the base message
authentication code calculation mode OMAC1, which is also known as
CMAC (see [RFC4493]), extended by the ACPKM-Master re-keying
mechanism.
The OMAC-ACPKM-Master message authentication code calculation mode
can be used with the following parameters:
o n in {64, 128, 256}.
o 128 <= k <= 512.
o The maximum message size m_max = N * (n * 2^{n/2-1} / (k + n)).
The key material K[j] that is used for one-section processing is
equal to K^j | K^j_1, where |K^j| = k bits and |K^j_1| = n bits.
The following is a specification of the subkey generation process of
OMAC:
+-------------------------------------------------------------------+
| Generate_Subkey(K1, r) |
|-------------------------------------------------------------------|
| Input: |
| - key K1. |
| Output: |
| - key SK. |
|-------------------------------------------------------------------|
| 1. If r = n, then return K1 |
| 2. If r < n, then |
| if MSB_1(K1) = 0 |
| return K1 << 1 |
| else |
| return (K1 << 1) (xor) R_n |
+-------------------------------------------------------------------+
Here, R_n takes the following values:
o n = 64: R_{64} = 0^{59} | 11011.
o n = 128: R_{128} = 0^{120} | 10000111.
o n = 256: R_{256} = 0^{145} | 10000100101.
The OMAC-ACPKM-Master message authentication code calculation mode is
defined as follows:
+-------------------------------------------------------------------+
| OMAC-ACPKM-Master(K, N, T*, M) |
|-------------------------------------------------------------------|
| Input: |
| - section size N, |
| - initial key K, |
| - master key frequency T*, |
| - plaintext M = M_1 | ... | M_b, |M| <= m_max. |
| Output: |
| - message authentication code T. |
|-------------------------------------------------------------------|
| 1. C_0 = 0^n |
| 2. l = ceil(|M| / N) |
| 3. K^1 | K^1_1 | ... | K^l | K^l_1 = |
= ACPKM-Master(T*, K, (k + n), l) |
| 4. For j = 1, 2, ... , b - 1 do |
| i = ceil(j * n / N), |
| C_j = E_{K^i}(M_j (xor) C_{j-1}) |
| 5. SK = Generate_Subkey(K^l_1, |M_b|) |
| 6. If |M_b| = n, then M*_b = M_b |
| else M*_b = M_b | 1 | 0^{n - 1 -|M_b|} |
| 7. T = E_{K^l}(M*_b (xor) C_{b-1} (xor) SK) |
| 8. Return T |
+-------------------------------------------------------------------+
7. Joint Usage of External and Internal Re-keying
Both external re-keying and internal re-keying have their own
advantages and disadvantages, which are discussed in Section 1. For
instance, using external re-keying can essentially limit the message
length, while in the case of internal re-keying, the section size,
which can be chosen as the maximal possible for operational
properties, limits the number of separate messages. Therefore, the
choice of re-keying mechanism (either external or internal) depends
on particular protocol features. However, some protocols may have
features that require the advantages of both the external and
internal re-keying mechanisms: for example, the protocol mainly
transmits short messages, but it must additionally support processing
of very long messages. In such situations, it is necessary to use
external and internal re-keying jointly, since these techniques
negate each other's disadvantages.
For composition of external and internal re-keying techniques, any
mechanism described in Section 5 can be used with any mechanism
described in Section 6.
For example, consider the GCM-ACPKM mode with external serial re-keying based on a KDF on a hash function. Denote the number of messages in each frame (in the case of the implicit approach to the key lifetime control) for external re-keying as a frame size. Let L be a key lifetime limitation. The section size N for internal re-keying and the frame size q for external re-keying must be chosen in such a way that q * N must not exceed L. Suppose that t messages (ICN_i, P_i, A_i), with initial counter nonce ICN_i, plaintext P_i, and additional authenticated data A_i will be processed before renegotiation. For authenticated encryption of each message (ICN_i, P_i, A_i), i = 1, ..., t, the following algorithm can be applied: 1. j = ceil(i / q), 2. K^j = ExtSerialH(K, j), 3. C_i | T_i = GCM-ACPKM-Encrypt(N, K^j, ICN_i, P_i, A_i). Note that nonces ICN_i that are used under the same frame key must be unique for each message.8. Security Considerations
Re-keying should be used to increase a priori security properties of ciphers in hostile environments (e.g., with side-channel adversaries). If efficient attacks on a cipher are known, the cipher must not be used. Thus, re-keying cannot be used as a patch for vulnerable ciphers. Base cipher properties must be well analyzed because the security of re-keying mechanisms is based on the security of a block cipher as a pseudorandom function. Re-keying is not intended to solve any postquantum security issues for symmetric cryptography, since the reduction of security caused by Grover's algorithm is not connected with a size of plaintext transformed by a cipher -- only a negligible (sufficient for key uniqueness) material is needed -- and the aim of re-keying is to limit the size of plaintext transformed under one initial key. Re-keying can provide backward security only if previous key material is securely deleted after usage by all parties.9. IANA Considerations
This document has no IANA actions.