authenticated encryption mode for beyond the birthday
play

Authenticated Encryption Mode for Beyond the Birthday Bound Security - PowerPoint PPT Presentation

Aug 21, 2022 •166 likes •576 views

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

  1. ✓ ✏ Authenticated Encryption Mode for Beyond the Birthday Bound Security ✒ ✑ Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008

  2. Blockcipher plaintext M ✻ ❄ ✲ key K encryption decryption E ❄ ❄ ciphertext C • | M | = | C | = n (block length), | K | = k (key length) • designed to withstand various known attacks (diff. attack, linear attack,...) • indistinguishable from a random permutation even if the adversary obtains 2 n − δ plaintext-ciphertext pairs 2

  3. Blockcipher Modes • privacy: CBC mode, CTR mode,... • authenticity: CBC MAC, CMAC, PMAC,... • privacy and authenticity: GCM, OCB, EAX,... Security Proofs • birthday bound • success probability O ( σ 2 / 2 n ) • σ : amount of data adversary obtains 3

  4. Security Proofs with Beyond the Birthday Bound • privacy: CENC, NEMO • authenticity: RMAC, Poly1305, MACH • privacy and authenticity: Generic Composition, CHM Beyond the Birthday Bound? • higher security is a valid goal • huge gap between blockcipher security and mode security – blockcipher: 2 n − δ , mode: 2 n/ 2 • some applications require n = 64 (HIGHT, Present) – 2 32 is small 4

  5. Goal of This Talk • design of authenticated encryption mode, AE1 • beyond the birthday bound security • fix several problems in existing modes 5

  6. Authenticated Encryption • two security goals: – privacy – authenticity • two design approaches – generic composition: secure encryption + secure MAC (BN00, K01) – one algorithm of dedicated design, more efficient than generic composition 6

  7. Authenticated Encryption Using Blockcipher • IAPM, IACBC (Jutla ’01) • XCBC, XECBS (Gligor, Donescu ’01) • OCB (Rogaway ’01) • GCM (McGrew and Viega ’04) • CHM (Iwata ’06) • · · · 7

  8. GCM (McGrew, Viega ’04, NIST SP 800-38D) • Galois Counter Mode • recommended by NIST as NIST SP 800-38D • IETF 4160, payload encryption in IPSec • IEEE 802.1AE, Media Access Control Security, frame data encryption in Layer 2 of the Ethernet • IEEE P1619.1, tape storage encryption 8

  9. GCM (McGrew, Viega ’04, NIST SP 800-38D) • blockcipher E • inputs: the key K , nonce N , plaintext M and header A • outputs: the ciphertext C and tag T ( K, N, M, A ) → GCM → ( C, T ) • M is encrypted and authenticated • A is authenticated (and not encrypted) • M and A can be any lengths • | C | = | M | 9

  10. Encryption of GCM N 10 31 inc inc inc inc H ← E K (0 n ) E K E K E K E K E K ⊗ : mult. GF(2 n ) M 1 M 2 M 3 M 4 A 1 A 2 A 3 A 4 C 1 C 2 C 3 C 4 0 n T H H H H H H H H len( A ) len( C ) 10

  11. Properties • combines CTR mode and polynomial hash over GF(2 n ) • uses single key • provable security – privacy: O ( σ 2 / 2 n ) – authenticity: O ( σ 2 / 2 n ) – σ : length of data in blocks • allows parallel calls of E – can boost the throughput of encryption 11

  12. Properties • polynomial hash is not parallelizable x 1 x 2 x 3 x 4 0 n T H H H H – can be a bottleneck for hardware (Satoh et. al., ISC ’07 can be used) • C can not be processed until finishing A – can be a problem if C is ready before A • usual birthday bound security 12

  13. CHM (Iwata, FSE ’06) • CENC with Hash based MAC • C can not be processed until finishing A – A and C are MACed separately • usual birthday bound security – uses CENC for encryption – CENC: encryption mode 13

  14. Parameters of CENC • blockcipher E : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n • nonce length: ℓ nonce bits, ℓ nonce < n • frame width: w 14

  15. Key Stream Generation of CENC ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ L L L L L L ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 � �� � (1 frame) w blocks • L : mask • w : frame width, default: w = 2 8 = 256 • N : nonce, ctr ← N � 0 · · · 0, default: | N | = ℓ nonce = n/ 2 15

  16. Encryption of CENC N � 0 · · · 0 ↓ ctr s inc s inc s inc s inc s inc s inc s inc s inc ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ❄ ❄ ❄ ❄ ❄ ❄ ❄ ❄ E K E K E K E K E K E K E K E K ❄ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲ L L L L L L ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ S 0 S 1 S 2 S 3 S 4 S 5 ❄ ❄ ❄ ❄ ❄ ❄ ✲ ✲ ✲ ✲ ✲ ✲ M 0 M 1 M 2 M 3 M 4 M 5 ❢ ❢ ❢ ❢ ❢ ❢ ❄ ❄ ❄ ❄ ❄ ❄ C 0 C 1 C 2 C 3 C 4 C 5 16

  17. Indistinguishability from Random String CENC oracle random oracle ( N ′ , M ′ ) ( N, M ) CENC K ( · ) ✛ ✲ R ( · ) ✲ ✛ A C ′ = random string C = CENC K ( N, M ) A must not repeat the same nonce � � K ( A CENC K ( · , · ) = 1) − Pr R ( A R ( · , · ) = 1) def Adv priv � � CENC ( A ) = � Pr � 17

  18. Security Theorem of CENC σ 3 CENC ( A ) ≤ w ˆ 2 2 n − 3 + w ˆ σ Adv priv 2 n + Adv prp E ( B ) • A : q queries with total of σ blocks • B : ( w + 1)ˆ σ/w queries • ˆ σ = σ + qw • beyond the birthday bound 18

  19. CHM (Iwata, FSE ’06) • CENC with Hash based MAC • S 0 ← E K (1 n − 1 0), S 1 ← E K (1 n ), • use CENC to produce 1 + | M | /n blocks of S CENC K ( N ) → S ���� � �� � 1 | M | /n S A S C • C ← M ⊕ (first | M | bits of S C ) • T ← Hash S 0 ( C ) ⊕ Hash S 1 ( A ) ⊕ S A (truncate if needed) 19

  20. Encryption of CHM S 0 ← E K (1 n − 1 0) N S 1 ← E K (1 n ) CENC N , A , C : padded M 1 M 2 M 3 M 4 A 1 A 2 A 3 A 4 C 1 C 2 C 3 C 4 0 n 0 n T S 1 S 1 S 1 S 1 S 0 S 0 S 0 S 0 20

  21. Security Theorems • privacy σ 2 σ 3 CHM ( A ) ≤ w ˜ 2 2 n − 6 + w ˜ 2 2 n − 3 + 1 2 n + w ˜ σ Adv priv 2 n • authenticity σ 2 σ 3 CHM ( A ) ≤ w ˜ 2 2 n − 6 + w ˜ 2 2 n − 3 + 1 2 n + w ˜ σ Adv auth 2 n +(1 + H max + M max ) 2 τ • beyond the birthday bound, τ ≤ n : tag length • H max , M max are max. block lengths of header and plaintext 21

  22. Properties • combines CENC and polynomial hash • uses single key • A and C are MACed separately • better than the birthday bound security – problem if τ is small (e.g. τ = 32 or 48) – similar to GCM CHM ( A ) ≤ · · · + (1 + H max + M max ) Adv auth 2 τ • polynomial hash is not parallelizable (as in GCM) – can be a bottleneck for hardware 22

  23. Inner Product Hash • fully parallelizable • inputs: x = ( x 1 , . . . , x t ), key k = ( k 1 , . . . , k t ), • output: H k ( x ) = ( x 1 , . . . , x t ) · ( k 1 , . . . , k t ) = x 1 · k 1 ⊕ · · · ⊕ x t · k t multiplication over GF(2 n ) • | k | can be large, | x | = | k | 23

  24. AE1 (This Talk) • uses blockcipher • can be used even if τ is small • allows parallel computation – ̟ : frame width, default: ̟ = 2 or 4 • Hash part – input x , keys K , T 1 , . . . , T ̟ (constant size) – output T 24

  25. Padding for Hash x x 10 · · · 0 � �� � × n bits � �� � � �� � ���� ̟ blocks · · · ̟ ≤ ̟ (1 frame) 25

  26. Hash of AE1 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 T 1 T 2 T 3 T 1 T 2 T 3 T 1 T 2 T 3 0 n 1 n 2 n E K E K E K T • combines inner product ( x 1 , . . . , x ̟ ) · ( T 1 , . . . , T ̟ ) and E • long (but constant) key size • about | x | /n field multiplications and | x | /̟n E calls 26

  27. Hash of AE1 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 T 1 T 2 T 3 T 1 T 2 T 3 T 1 T 2 T 3 0 n 1 n 2 n E K E K E K T • frame counter to avoid trivial swap • last block of x is non-zero (by padding) • proof that AE1.Hash is ǫ -AXU 27

  28. AE1.Hash is ǫ -AXU ( ǫ -almost XOR universal) • H is ǫ -AXU if ∀ x, x ′ ( x � = x ′ ) and ∀ y ∈ GF(2 τ ), Pr( H K ( x ) ⊕ H K ( x ′ ) = y ) ≤ ǫ • Proposition ∀ x, x ′ ( x � = x ′ ) and ∀ y ∈ GF(2 τ ), Pr( H K ( x ) ⊕ H K ( x ′ ) = y ) ≤ ℓ + ℓ ′ − 1 + 2 2 τ + Adv prp E ( A ) 2 n – x : ℓ frames, x ′ : ℓ ′ frames, ℓ + ℓ ′ − 1 ≤ 2 n − 1 – A makes at most ℓ + ℓ ′ queries • 2 / 2 τ is a constant 28

  29. Encryption of AE1 • Replace the Hash in CHM with AE1.Hash • inputs: the key K , nonce N , plaintext M • outputs: the ciphertext C and tag T ( K, N, M ) → AE1 → ( C, T ) • M is encrypted and authenticated, can be any length, | C | = | M | 29

  30. Hash Key Derivation of AE1 • Hash keys: K H , T 1 , . . . , T ̟ – K H ← E K ( � 0 � n/ 2 � 1 n/ 2 ) � · · · � E K ( �⌈ k/n ⌉ − 1 � n/ 2 � 1 n/ 2 ) – T 1 ← E K ( �⌈ k/n ⌉� n/ 2 � 1 n/ 2 ) – T 2 ← E K ( �⌈ k/n ⌉ + 1 � n/ 2 � 1 n/ 2 ) – · · · – T ̟ ← E K ( �⌈ k/n ⌉ + ̟ − 1 � n/ 2 � 1 n/ 2 ) 30

  31. Encryption of AE1 N CENC M 1 M 2 M 3 M 4 A 1 A 2 A 3 A 4 C 1 C 2 C 3 C 4 0 n 0 n T S 1 S 1 S 1 S 0 S 0 S 0 S 0 S 1 31

  32. Encryption of AE1 N CENC M 1 M 2 M 3 M 4 M 5 M 6 M 7 M 8 C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 0 n T S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 32

  33. Encryption of AE1 N CENC M 1 M 2 M 3 M 4 M 5 M 6 M 7 M 8 C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 0 n T S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of Mathematical Sciences School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore { wuhj,huangtao } @ntu.edu.sg

267 views • 16 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago &amp; m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Quine-McCluskey Algorithm Useful for minimizing equations with more than 4 inputs. Like

Quine-McCluskey Algorithm Useful for minimizing equations with more than 4 inputs. Like

Quine-McCluskey Algorithm Useful for minimizing equations with more than 4 inputs. Like K-map, also uses combining theorem Allows for automation Chapter 2 &lt;1&gt; Edward McCluskey (1929-2016) Pioneer in Electrical Engineering

531 views • 23 slides
Data Handling Processor Performance Test Results Tetsuichi

Data Handling Processor Performance Test Results Tetsuichi

Data Handling Processor Performance Test Results Tetsuichi Kishishita, Bonn University DEPFET PXD ASIC Design Review, October 27-28, 2014 Outline Verification

685 views • 44 slides
Verification of String Manipulating Programs Fang Yu Software Security Lab. Department of

Verification of String Manipulating Programs Fang Yu Software Security Lab. Department of

Introduction Automata Manipulations Symbolic String Vulnerability Analysis Composite String Analysis Implementation and Summary Verification of String Manipulating Programs Fang Yu Software Security Lab. Department of Management Information

1.62k views • 138 slides
Encryption as an Abstract Datatype: an extended abstract Dale Miller INRIA/Futurs/Saclay and

Encryption as an Abstract Datatype: an extended abstract Dale Miller INRIA/Futurs/Saclay and

June 2003 1/18 Encryption as an Abstract Datatype: an extended abstract Dale Miller INRIA/Futurs/Saclay and Ecole polytechnique Outline 1. Security protocols specified using multisets rewriting. 2. Eigenvariables for nonces and session

460 views • 18 slides
On the Metric-based Approximate Minimization of Markov Chains* Giovanni Bacci , Giorgio Bacci,

On the Metric-based Approximate Minimization of Markov Chains* Giovanni Bacci , Giorgio Bacci,

On the Metric-based Approximate Minimization of Markov Chains* Giovanni Bacci , Giorgio Bacci, Kim G. Larsen, Radu Mardare Aalborg University OPCT 2017 Vienna, 26th June 2017 1/27 (*) accepted for publication at ICALP17 Introduction

1.16k views • 89 slides
OpenGL: Open Graphics Library Graphics API Introduction to OpenGL ( Application Programming

OpenGL: Open Graphics Library Graphics API Introduction to OpenGL ( Application Programming

OpenGL: Open Graphics Library Graphics API Introduction to OpenGL ( Application Programming Interface) Part II Software library Layer between programmer and graphics CS 351-50 hardware (and other software Several hundred

252 views • 9 slides
Design and Analysis of Single-source and Layer Multicast Multisource Application Layer Multicast

Design and Analysis of Single-source and Layer Multicast Multisource Application Layer Multicast

Design and Analysis of Single-source and Multisource Application Layer Multicast Routing Protocols Design and Analysis of Single-source and Multisource Application Design and Analysis of Single-source and Layer Multicast Multisource

995 views • 60 slides
Grbner Bases. Applications in Cryptology Algorithms Buchberger and Macaulay Ecient

Grbner Bases. Applications in Cryptology Algorithms Buchberger and Macaulay Ecient

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Zero dim solve Grbner Bases. Applications in Cryptology Algorithms Buchberger and Macaulay Ecient Algorithms F 5 algorithm Jean-Charles Faugre Complexity result

2.52k views • 183 slides

More recommend