APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx COSIC, KU Leuven August 14, 2013 Joint work with A. Bogdanov, E. Andreeva, B. Mennink, N. Mouha, K. Yasuda 1 / 16

Stateless, Deterministic Encryption E ( M 1 ) = C 1 E ( M 2 ) = C 2 M 1 = M 2 ⇒ C 1 = C 2 2 / 16

Nonces E ( N 1 , M 1 ) = C 1 E ( N 2 , M 2 ) = C 2 N 1 � = N 2 and M 1 = M 2 �⇒ C 1 = C 2 3 / 16

Nonce Repetition Nonce repeated? Usually no security guarantees. Misuse Resistance. 4 / 16

Some AE Schemes Nonce-dependent Misuse Resistant Block Cipher IAPM ‘01, OCB ‘01 SIV ‘06 XECB ‘01, CCM ‘01 BTM ‘09 GCM ‘04 McOE-G ‘11 Permutation SpongeWrap ‘11 5 / 16

Some AE Schemes Nonce-dependent Misuse Resistant Block Cipher IAPM ‘01, OCB ‘01 SIV ‘06 XECB ‘01, CCM ‘01 BTM ‘09 GCM ‘04 McOE-G ‘11 Permutation SpongeWrap ‘11 APE 5 / 16

APE C [1] C [2] C [3] C [4] M [1] M [2] M [3] M [4] 0 + + + + K K p p p p 1 T + + 6 / 16

APE - Associated Data A [1] A [2] A [3] A [4] 0 r IV r + + + + p p p p IV c K 7 / 16

APE - Decryption M [1] M [2] M [3] M [4] C [1] C [2] C [3] C [4] + + + 1 K p − 1 p − 1 p − 1 p − 1 K ? T + + 8 / 16

Properties 1 Proof with ideal permutation (sponge) 2 Tag cannot be truncated 3 Suited for lightweight 4 Online? 9 / 16

Online M [1] M [2] M [3] M [4] C [1] C [2] C [3] C [4] 10 / 16

McOE M [1] M [2] V τ � � � � 0 E K E K E K E K + + + τ C [1] C [2] T 11 / 16

McOE - Decryption C [1] C [2] V τ � � � E − 1 E − 1 � 0 E K E K + + + K K τ M [1] M [2] T 12 / 16

Extra Misuse Resistance M [1] M [2] M [3] M [4] C [1] C [2] C [3] C [4] + + + 1 K p − 1 p − 1 p − 1 p − 1 K ? T + + 13 / 16

APEX C C [1] C [2] C [3] M [1] M [2] M [3] M [4] C [1] ⊕ C [2] ⊕ C [3] 0 + + + + K K p p p p 1 + + 14 / 16

Conclusions and Future Work Future work: 1 Reducing key size 2 Designing a permutation with efficient inverse 3 Ideal model versus standard model 4 How to deal with nonces: public message number versus secret message number 15 / 16

Thank you for your attention. 16 / 16

Recommend

More recommend