ale aes based lightweight authenticated encryption
play

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov - PowerPoint PPT Presentation

Oct 02, 2022 •19 likes •279 views

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 , Francesco Regazzoni 3,4 , Vincent Rijmen 5 , Elmar Tischhauser 5 1 Technical University of Denmark 2 IAIK, Graz University of Technology, Austria 3 ALaRI -

  1. ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 , Francesco Regazzoni 3,4 , Vincent Rijmen 5 , Elmar Tischhauser 5 1 Technical University of Denmark 2 IAIK, Graz University of Technology, Austria 3 ALaRI - USI, Switzerland 4 Delft University of Technology, Netherlands 5 Dept. ESAT/COSIC, KU Leuven and iMinds, Belgium

  2. Authenticated Encryption (AE) • Is cryptography about encryption? Yes, but not only! o Encryption alone is not enough in numerous applications o One might even argue that authentication is really what is needed in o most cases • Authenticated encryption AE: (P,K) -> (C,T) with T authentication tag • Authenticated encryption with associated data AEAD: (A,P,K) -> (A,C,T) with A associated data transmitted in plaintext

  3. The assumption of nonce • Nonce N = number used once, freshness • Nice but might be difficult to enforce in sometimes David McGrew, DIAC’12 slides • Good news: Nonce can be “just” a counter!

  4. [RBBK01] Nonce-based: AES-OCB [BR02] [R02] [R04] [KR11] • Init(N): initialization function • Inc: increment function • Checksum = M1 xor M2 xor... Mn

  5. [RBBK01] Nonce-based: AES-OCB [BR02] [R02] [R04] [KR11] + • 1 AES-128 call per block • perfectly parallelizable • only forgery with nonce reuse • associated data

  6. [RBBK01] Nonce-based: AES-OCB [BR02] [R02] [R04] [KR11] + - • • 1 AES-128 call per block enc/dec different • • perfectly parallelizable state 4x128 bits • • only forgery with nonce reuse (patents pending) • associated data

  7. [JK11] ASC-1

  8. [JK11] ASC-1 + • only 4 AES-128 rounds per block • enc/dec similar

  9. [JK11] ASC-1 + • only 4 AES-128 rounds per block • enc/dec similar - • state 4x128 bits • serial • state recovery with nonce reuse • slow in compact ASIC implementation • no associated data

  10. Our Goal • Design of a dedicated AE scheme which would: o require less operations on average o be compact in hardware (for both encryption and decryption) o have low power and low energy figures o be good in software • PC (AES-NI) • Embedded (usually not parallelizable) o rely on some previous cryptanalysis

  11. ALE = associated data AES = AES-128 = message = 128-bit key = ciphertext = tag Initialization: nonce, AES with master k, 0, AES with master k, AES with ks Processing Associated Data: xor with state, 4R AES Processing Message: xor with message, 4R AES LEX leak

  12. [B06] LEX leak for ALE encryption odd rounds even rounds

  13. ALE = associated data AES = AES-128 = message = 128-bit key = ciphertext = tag Initialization: nonce, AES with master k, 0, AES with master k, AES with ks Processing Associated Data: xor with state, 4R AES Processing Message: xor with message, 4R AES LEX leak Finalization: encrypt with AES

  14. ALE = associated data AES = AES-128 = message = 128-bit key = ciphertext = tag + • only 4 AES-128 rounds per block • enc/dec similar • state 2x128 bits • faster in compact ASIC implementation • associated data

  15. ALE = associated data AES = AES-128 = message = 128-bit key = ciphertext = tag + - • • only 4 AES-128 rounds per block serial • • enc/dec similar state recovery with nonce reuse • state 2x128 bits • faster in compact ASIC implementation • associated data

  16. Assumptions for ALE • Assumption 1. Nonce-respecting adversary: A nonce is only used once with the same master key for encryption • Assumption 2. Abort on verification failure: No additional information returned if tampering is detected (in particular, no plaintext blocks)

  17. Claims for ALE • Claim 1. State recovery: State recovery with complexity = t data blocks succeeds with prob at most t2 -128 • Claim 2. Key recovery: State recovery with complexity = t data blocks succeeds with prob at most t2 -128 , even if state recovered • Claim 3. Forgery w/o state recovery: forgery not involving key/state recovery succeeds with prob at most 2 -128

  18. Lightweight ASIC implementation for ALE • ALE implemented using as base AES architecture the smallest available [Moradi et al., Eurocrypt 2011] • Reference algorithms were implemented using the same starting AES • STMicroelectronics 65 nm CMOS LP-HVT, Synopsis 2009.06, 20 MHz

  19. Lightweight ASIC implementation for ALE

  20. Lightweight ASIC implementation for ALE

  21. Software implementation of ALE • Target platforms: o Sanby Bridge 3.1GHz (using AES-NI) o Embedded (estimated) • Parallel or multiple message at a time • Standard Sandy Bridge desktop @ 3.1 GHz • Repeated 100.000 and averaged

  22. Software implementation of ALE (Sandy Bridge) • cycles per byte (AES-NI)

  23. Software implementation of ALE (Sandy Bridge) • cycles per byte (AES-NI)

  24. Software implementation of ALE (embedded) • Serial constructions usually do not cause large overhead • Estimated 2 to 2.5 time faster than AES-OCB

  25. Conclusions • Dedicated nonce-based AES-based AEAD design • Reuses some cryptanalysis of Pelican-MAC and LEX • Small hardware footprint • Fast software (measured with AES-NI, estimated embedded)

  26. Thank you!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Introduction Motivation Specification for Beetle Hardware Implementation Results of Beetle Conclusions Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 , Nilanjan Datta 2 , Mridul Nandi 3 and Kan

614 views • 32 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of Mathematical Sciences School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore { wuhj,huangtao } @ntu.edu.sg

267 views • 16 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx

APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx

APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx COSIC, KU Leuven August 14, 2013 Joint work with A. Bogdanov, E. Andreeva, B. Mennink, N. Mouha, K. Yasuda 1 / 16 Stateless, Deterministic

198 views • 17 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background: Lightweight Encryption Lightweight: Meant to be fast. Symmetric key: Same key used for encryption and decryption. Used in embedded systems, browsers,

300 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in (Partially based on joint work with Debrup Chakraborty) Directions

1.01k views • 61 slides
ARDSLEY HIGH SCHOOL ALE Brandon Milonovich 1/24/17 FLEXIBILITY AND CHOICE IN LEARNING Students

ARDSLEY HIGH SCHOOL ALE Brandon Milonovich 1/24/17 FLEXIBILITY AND CHOICE IN LEARNING Students

ARDSLEY HIGH SCHOOL ALE Brandon Milonovich 1/24/17 FLEXIBILITY AND CHOICE IN LEARNING Students have opportunities to choose ways of interacting with content in ways that better meet their needs and preferences. Flexible space provides a

506 views • 5 slides
From LIBOR to SONIA and what you need to know: Recommended steps for transition Chris Wilford

From LIBOR to SONIA and what you need to know: Recommended steps for transition Chris Wilford

From LIBOR to SONIA and what you need to know: Recommended steps for transition Chris Wilford Head of Financial Services Policy, CBI September 2020 The Bank of England and FCA are ex-officio members of the Working Group on Sterling Risk Free

308 views • 6 slides
Arts Liaison Training #4: Taking the Reins as Arts Leader January 18, 2018 Irish-American

Arts Liaison Training #4: Taking the Reins as Arts Leader January 18, 2018 Irish-American

Arts Liaison Training #4: Taking the Reins as Arts Leader January 18, 2018 Irish-American Heritage Center Taking the Reins as Arts Leader Todays Agenda KNOW what it means to be an arts leader at your school UNDERSTAND whats in the State

691 views • 33 slides
Algorithmics and C basis Introduction For beginners . . . Definition of algorithm Examples

Algorithmics and C basis Introduction For beginners . . . Definition of algorithm Examples

Algorithmics and C basis A. Mucherino Algorithmics and C basis Introduction For beginners . . . Definition of algorithm Examples Antonio Mucherino The product of real numbers Maximum element of a vector University of Rennes 1 C basis

1.01k views • 86 slides
Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer

395 views • 7 slides
Learning to Prune Dominated Action Sequences in Online Black-box Planning Yuu Jinnai Alex

Learning to Prune Dominated Action Sequences in Online Black-box Planning Yuu Jinnai Alex

Learning to Prune Dominated Action Sequences in Online Black-box Planning Yuu Jinnai Alex Fukunaga The University of Tokyo Black-box Planning in Arcade Learning Environment What a human sees Arcade Learning Environment (Bellemare et

655 views • 41 slides
More Design Issues 1. Roles. 2. Sub classes. 3. Keys. 4. W eak en tit y sets. 5.

More Design Issues 1. Roles. 2. Sub classes. 3. Keys. 4. W eak en tit y sets. 5.

More Design Issues 1. Roles. 2. Sub classes. 3. Keys. 4. W eak en tit y sets. 5. Design principles and some hard examples. 1 Roles Sometimes an E.S. participates more than once in a relationship. Lab el edges

410 views • 16 slides
Augmented Likelihood Estimators for Mixture Models Markus Haas Jochen Krause Marc S. Paolella

Augmented Likelihood Estimators for Mixture Models Markus Haas Jochen Krause Marc S. Paolella

Augmented Likelihood Estimators for Mixture Models Markus Haas Jochen Krause Marc S. Paolella Swiss Banking Institute, University of Zurich M. Haas, J. Krause, M. S. Paolella Augmented Likelihood Estimation What is mixture degeneracy?

311 views • 20 slides

More recommend