authenticated ciphers d j bernstein university of
play

Authenticated ciphers D. J. Bernstein University of Illinois at - PDF document

Jun 17, 2023 •407 likes •1.03k views

Authenticated ciphers D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Advertisement: SHARCS 2012 (Special-Purpose Hardware for Attacking Cryptographic Systems) is right before

  1. Authenticated ciphers D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Advertisement: SHARCS 2012 (Special-Purpose Hardware for Attacking Cryptographic Systems) is right before FSE+SHA-3. 2012.01.23 deadline to submit extended abstracts. 2012.sharcs.org

  2. Multiple-year SHA-3 competition has produced a natural focus for security analysis and performance analysis. Community shares an interest in selecting best hash as SHA-3. Intensive analysis of candidates: hash conferences, hash workshops, active SHA-3 mailing list, etc. Would have been harder to absorb same work spread over more conferences, more time. Focus improves community’s understanding and confidence.

  3. This is a familiar pattern. June 1998: AES block-cipher submissions from 50 people ✮ community focus. April 2005: eSTREAM stream- cipher submissions from 100 people ✮ community focus. October 2008: SHA-3 hash- function submissions from 200 people ✮ community focus.

  4. This is a familiar pattern. June 1998: AES block-cipher submissions from 50 people ✮ community focus. April 2005: eSTREAM stream- cipher submissions from 100 people ✮ community focus. October 2008: SHA-3 hash- function submissions from 200 people ✮ community focus. NESSIE was much less focused and ended up in more trouble: e.g., only two MAC submissions.

  5. The next community focus What’s next after block ciphers, stream ciphers, hash functions? Proposal: authenticated ciphers. Basic security goal: two users start with a shared secret key; then want to protect messages against espionage and forgery. The usual competition: maximize security subject to performance constraints; i.e.: maximize performance subject to security constraints.

  6. “Isn’t authenticated encryption done already?”

  7. “Isn’t authenticated encryption done already?” FSE 2011 Krovetz–Rogaway cite EtM, RPC, IAPM, XCBC, OCB1, TAE, CCM, CWC, GCM, EAX, OCB2, CCFB, CHM, SIV, CIP, HBS, BTM; and propose OCB3. Same paper reports various timings for AES-GCM; better timings for AES-OCB3, “the fastest reported times for AE” (authenticated encryption); within ✎ of AES.

  8. “Isn’t authenticated encryption done already?” FSE 2011 Krovetz–Rogaway cite EtM, RPC, IAPM, XCBC, OCB1, TAE, CCM, CWC, GCM, EAX, OCB2, CCFB, CHM, SIV, CIP, HBS, BTM; and propose OCB3. Same paper reports various timings for AES-GCM; better timings for AES-OCB3, “the fastest reported times for AE” (authenticated encryption); within ✎ of AES. “That’s the end! AES-OCB3!”

  9. General themes of next several slides in this talk: 1. Is AES-OCB3 the best way to build an authenticated cipher? Many reasons to be skeptical.

  10. General themes of next several slides in this talk: 1. Is AES-OCB3 the best way to build an authenticated cipher? Many reasons to be skeptical. 2. Examples of how earlier authenticated ciphers already beat AES-OCB3

  11. General themes of next several slides in this talk: 1. Is AES-OCB3 the best way to build an authenticated cipher? Many reasons to be skeptical. 2. Examples of how earlier authenticated ciphers already beat AES-OCB3 ✿ ✿ ✿ in some respects.

  12. General themes of next several slides in this talk: 1. Is AES-OCB3 the best way to build an authenticated cipher? Many reasons to be skeptical. 2. Examples of how earlier authenticated ciphers already beat AES-OCB3 ✿ ✿ ✿ in some respects. Conclusion: No reason to think that existing work is optimal. Ample room for competition.

  13. Changing the components AES-GCM uses AES-CTR. Many bits of AES input thus end up as constants, invalidating many differentials. Can AES-GCM get away with one or two fewer AES rounds while still providing security against differential attacks? AES-OCB3 doesn’t use CTR. Can it be safely modified to use some constant bits?

  14. We know more about ciphers in 2012 than we did in 1998. Can we obtain better speeds by replacing AES with another block cipher?

  15. We know more about ciphers in 2012 than we did in 1998. Can we obtain better speeds by replacing AES with another block cipher? Can we obtain better speeds by replacing AES-CTR with another stream cipher?

  16. We know more about ciphers in 2012 than we did in 1998. Can we obtain better speeds by replacing AES with another block cipher? Can we obtain better speeds by replacing AES-CTR with another stream cipher? Yes, course! See eSTREAM. Example, ARM Cortex A8: 28.9 cycles/byte for AES-OCB3. 25.4 cycles/byte for AES-CTR. 8.53 cycles/byte for Salsa20/20. 5.53 cycles/byte for Salsa20/12.

  17. How expensive are MACs? Can take any modern hash (or design another one!), plug into HMAC.

  18. How expensive are MACs? Can take any modern hash (or design another one!), plug into HMAC. Are universal hashes better? GCM’s universal hash: faster than HMAC in hardware but much slower in software.

  19. How expensive are MACs? Can take any modern hash (or design another one!), plug into HMAC. Are universal hashes better? GCM’s universal hash: faster than HMAC in hardware but much slower in software. UMAC, VMAC, etc.: faster than HMAC in software; what about hardware? (I’m doing a new PEMA design.)

  20. Improving security AES-GCM, AES-OCB3, etc. advertise “provable security” if AES is secure.

  21. Improving security AES-GCM, AES-OCB3, etc. advertise “provable security” if AES is secure. But is AES actually secure? Are the latest AES-cryptanalysis papers reason for concern? (I don’t think so, but maybe you disagree.)

  22. Improving security AES-GCM, AES-OCB3, etc. advertise “provable security” if AES is secure. But is AES actually secure? Are the latest AES-cryptanalysis papers reason for concern? (I don’t think so, but maybe you disagree.) Does efficiency force ciphers to have a scary key schedule?

  23. What happens to security if there are many messages?

  24. What happens to security if there are many messages? Usually the security proofs become meaningless. e.g. AES-OCB3 theorems allow attack probability 6 q 2 ❂ 2 128 after q blocks of AES input. Is q ✙ 2 60 so hard to imagine?

  25. What happens to security if there are many messages? Usually the security proofs become meaningless. e.g. AES-OCB3 theorems allow attack probability 6 q 2 ❂ 2 128 after q blocks of AES input. Is q ✙ 2 60 so hard to imagine? 128-bit block size for AES is beginning to look rather small. Wouldn’t it be more comfortable to have 256-bit blocks?

  26. What happens to security if the attacker is lucky and succeeds at one forgery? AES-GCM answer: key recovery. AES-OCB3 answer: ?

  27. What happens to security if the attacker is lucky and succeeds at one forgery? AES-GCM answer: key recovery. AES-OCB3 answer: ? Can limit the damage by rejecting old nonces and deriving key from nonce; but this creates speed problems for AES, bigger speed problems for GCM.

  28. What happens to security if the attacker is lucky and succeeds at one forgery? AES-GCM answer: key recovery. AES-OCB3 answer: ? Can limit the damage by rejecting old nonces and deriving key from nonce; but this creates speed problems for AES, bigger speed problems for GCM. How important is this? Do we need high key agility?

  29. What about side-channel attacks? Not a strong point for AES. Not a strong point for GCM.

  30. What about side-channel attacks? Not a strong point for AES. Not a strong point for GCM. We understand reasonably well how to design primitives to avoid software side channels.

  31. What about side-channel attacks? Not a strong point for AES. Not a strong point for GCM. We understand reasonably well how to design primitives to avoid software side channels. How can we design primitives to reduce cost of avoiding hardware side channels? One approach (e.g., Keccak): maximize bit-level parallelism, minimize degree over F 2 .

  32. Cost metrics Is time the most important metric for performance?

  33. Cost metrics Is time the most important metric for performance? Does your cryptography fit onto an RFID, or into a small corner of a CPU? What is the smallest area for an authenticated cipher?

  34. Cost metrics Is time the most important metric for performance? Does your cryptography fit onto an RFID, or into a small corner of a CPU? What is the smallest area for an authenticated cipher? For each ❆ : How fast is an authenticated cipher that fits into area ❆ ?

  35. Is AES-OCB3 actually faster than AES-GCM at rejecting forgeries ?

  36. Is AES-OCB3 actually faster than AES-GCM at rejecting forgeries ? AES-GCM rejects forgery with no decryption time. AES-OCB3 is faster than AES-GCM, but is it faster than just the MAC in AES-GCM?

  37. Is AES-OCB3 actually faster than AES-GCM at rejecting forgeries ? AES-GCM rejects forgery with no decryption time. AES-OCB3 is faster than AES-GCM, but is it faster than just the MAC in AES-GCM? Many other MACs are clearly faster than AES-OCB3.

  38. Is AES-OCB3 actually faster than AES-GCM at rejecting forgeries ? AES-GCM rejects forgery with no decryption time. AES-OCB3 is faster than AES-GCM, but is it faster than just the MAC in AES-GCM? Many other MACs are clearly faster than AES-OCB3. What is most important for performance of authenticated ciphers: normal traffic, or floods of forged traffic?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Introduction Motivation Specification for Beetle Hardware Implementation Results of Beetle Conclusions Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 , Nilanjan Datta 2 , Mridul Nandi 3 and Kan

614 views • 32 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Cycle counts for authenticated encryption D. J. Bernstein http://cr.yp.to /streamciphers

Cycle counts for authenticated encryption D. J. Bernstein http://cr.yp.to /streamciphers

Cycle counts for authenticated encryption D. J. Bernstein http://cr.yp.to /streamciphers /timings.html Standard construction: encrypt with stream cipher; authenticate the ciphertext by appending encrypted hash. How to hash the ciphertext?

323 views • 4 slides
STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

mjos@item.ntnu.no STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O. Saarinen Norwegian University of Science and Technology Directions in Authentication Ciphers '14 24 August 2014, Santa Barbara USA 1

220 views • 19 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated

Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated

Desiderata Current AEAD use Evolution Conclusions Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated Ciphers, 2012 Desiderata Current AEAD use Evolution Conclusions Many desirable attributes

284 views • 26 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago

On the design of message-authentication codes D. J. Bernstein University of Illinois at Chicago When we design hash functions, stream ciphers, and other secret-key primitives, should we use integer multiplication? AES uses 32 ; 32 ! 32 xor;

634 views • 39 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Outline Framework Antiderivative Functions Applications Conclusion Outline Framework

Outline Framework Antiderivative Functions Applications Conclusion Outline Framework

Antiderivative Functions over F 2 n Valentin SUDER Seminar CALIN - Paris 13 April 12nd 2016. ComSec Lab, University of Waterloo ON, CANADA Outline Framework Antiderivative Functions Applications Conclusion Outline Framework Symmetric

999 views • 57 slides
Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure communication ( e.g.

900 views • 58 slides
Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Tuesday, 20.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 24 Multivariate Cryptography [DS06] MPKC:

621 views • 24 slides
Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko Chair, Symmetric-Key Cryptography Subcommittee (Science University of Tokyo) 1 Symmetric-Key Cryptography Subcommittee(2002) K.Araki (TIT)

998 views • 20 slides
Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois Ncourtois@ slb.com SchlumbergerSema Louveciennes France Bruges - 26/11/2002 STORK Cryptography Workshop 1 Design of Block Ciphers and Hash

429 views • 4 slides
Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology

Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology

T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa

1.25k views • 34 slides
Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2

Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2

Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2 Karan Khathuria 3 Javier Verbel 1 April 10, 2018 1 Universidad Nacional de Colombia, Colombia 2 Aarhus University, Denmark 3 University of Zurich,

423 views • 29 slides
Differential Encoding for Real-Time Status Updates Sanidhay Bhambay Sudheer Poojary Parimal

Differential Encoding for Real-Time Status Updates Sanidhay Bhambay Sudheer Poojary Parimal

Differential Encoding for Real-Time Status Updates Sanidhay Bhambay Sudheer Poojary Parimal Parag Electrical and Communication Engineering Indian Institute of Science, Bangalore The IEEE Wireless Communication and Networking Conference March

484 views • 23 slides

More recommend