Authenticated Encryption Atul Luykx COSIC, ESAT, KU Leuven, Belgium - - PowerPoint PPT Presentation

Authenticated Encryption

Atul Luykx

COSIC, ESAT, KU Leuven, Belgium

July 15, 2016

1

2

2

2

2

2

2

2

2

2

2

Modeling Attacks

3

Modeling Attacks

3

Modeling Attacks

Encryption

3

Modeling Attacks

Encryption

3

Modeling Attacks

Encryption Decryption

3

Modeling Attacks

Encryption Decryption K K

3

Modeling Attacks

Encryption Decryption K K Adversary

3

Ciphertext-Only

Plaintext unknown, adversary receives only ciphertext

4

Ciphertext-Only

Plaintext unknown, adversary receives only ciphertext m1 m2 m3 m4 EK EK EK EK c1 c2 c3 c4

4

Ciphertext-Only

Plaintext unknown, adversary receives only ciphertext m1 m2 m3 m4 EK EK EK EK c1 c2 c3 c4

4

Ciphertext-Only Attacks In Practice

5

Ciphertext-Only Attacks In Practice

5

Ciphertext-Only Attacks In Practice

5

Known Plaintext Attacks

6

Known Plaintext Attacks

6

Known Plaintext Attacks

6

KPA: Brute Force

m1 EK c1

1ECRYPT II 2012 key size recommendation

7

KPA: Brute Force

m1 EK c1 Cipher Block size Key size DES 64 56 AES 128 128, 192, 256 KATAN 32, 48, 64 80

1ECRYPT II 2012 key size recommendation

7

KPA: Brute Force

m1 EK c1 Cipher Block size Key size DES 64 56 AES 128 128, 192, 256 KATAN 32, 48, 64 80

• 1. Key recovery

1ECRYPT II 2012 key size recommendation

7

KPA: Brute Force

m1 EK c1 Cipher Block size Key size DES 64 56 AES 128 128, 192, 256 KATAN 32, 48, 64 80

• 1. Key recovery

◮ Determines how long the data must be protected 1ECRYPT II 2012 key size recommendation

7

KPA: Brute Force

m1 EK c1 Cipher Block size Key size DES 64 56 AES 128 128, 192, 256 KATAN 32, 48, 64 80

• 1. Key recovery

◮ Determines how long the data must be protected ◮ Properly designed block cipher: brute force 1ECRYPT II 2012 key size recommendation

7

KPA: Brute Force

m1 EK c1 Cipher Block size Key size DES 64 56 AES 128 128, 192, 256 KATAN 32, 48, 64 80

• 1. Key recovery

◮ Determines how long the data must be protected ◮ Properly designed block cipher: brute force ◮ 80 bit key: long-term protection against small organizations,

very short-term protection against agencies1

1ECRYPT II 2012 key size recommendation

7

KPA: Brute Force

m1 EK c1 Cipher Block size Key size DES 64 56 AES 128 128, 192, 256 KATAN 32, 48, 64 80

• 1. Key recovery

◮ Determines how long the data must be protected ◮ Properly designed block cipher: brute force ◮ 80 bit key: long-term protection against small organizations,

very short-term protection against agencies1

◮ Guessing one key out of many is much easier 1ECRYPT II 2012 key size recommendation

7

Chosen-Plaintext Attacks

• 1. Diplomatic messaging

8

Chosen-Plaintext Attacks

• 1. Diplomatic messaging
• 2. ATMs and PINs

8

Chosen-Plaintext Attacks

• 1. Diplomatic messaging
• 2. ATMs and PINs
• 3. Locks, sensors, cameras

8

Chosen-Plaintext Attacks

• 1. Diplomatic messaging
• 2. ATMs and PINs
• 3. Locks, sensors, cameras
• 4. Javascript code in browsers

8

CPA: BEAST

9

CPA: BEAST

Secure: IV ⊕ m1 EK c1 m2 m3 m4

+ + +

EK EK EK EK c1 c2 c3 c4

9

CPA: BEAST

Secure: IV ⊕ m1 EK c1 m2 m3 m4

+ + +

EK EK EK EK c1 c2 c3 c4 Insecure: IV ⊕ m1 EK c1 m2 m3 m4

+ + +

EK EK EK EK c1 c2 c3 c4

9

CPA: BEAST

IV1 ⊕ m1 EK c1 m2 m′

1

m′

2

+ + +

EK EK EK EK c1 c2 = IV2 c′

1

c′

2 9

CPA: BEAST

IV1 ⊕ m1 EK c1 m2 m′

1

m′

2

+ + +

EK EK EK EK c1 c2 = IV2 c′

1

c′

2

m′

1 = IV1 ⊕ IV2 ⊕ Guess 9

CPA: BEAST

IV1 ⊕ m1 EK c1 m2 m′

1

m′

2

+ + +

EK EK EK EK c1 c2 = IV2 c′

1

c′

2

m′

1 = IV1 ⊕ IV2 ⊕ Guess

Inject zero padding in m1

9

Chosen-Ciphertext Attacks

• 1. Devices all connected to internet: easy access to decryption

10

Chosen-Ciphertext Attacks

• 1. Devices all connected to internet: easy access to decryption
• 2. TLS padding oracle attack: decryption algorithm leaks validity
• f padding

10

Chosen-Ciphertext Attacks

• 1. Devices all connected to internet: easy access to decryption
• 2. TLS padding oracle attack: decryption algorithm leaks validity
• f padding
• 3. Data Authenticity?

10

Necessary Security Level Chosen-ciphertext Confidentiality and Authenticity

11

Necessary Security Level Chosen-ciphertext Confidentiality and Authenticity ⇒ Authenticated Encryption

11

Authenticated Encryption

K K

12

Authenticated Encryption

K K

n

12

Authenticated Encryption

K K

n

AEncK

n

12

Authenticated Encryption

K K

n

AEncK

n n

12

Authenticated Encryption

K K

n

AEncK

n n

ADecK ⊥

12

Authenticated Encryption Security

AE security = Confidentiality + Authenticity

13

Authenticated Encryption Security

AE security = Confidentiality + Authenticity Simultaneous vs Separate Treatment

13

Authenticated Encryption Security

AE security = Confidentiality + Authenticity Simultaneous vs Separate Treatment

13

Authenticity: Intuition

K K

n

AEncK

n

14

Authenticity: Intuition

K K

n

AEncK

n

14

Authenticity: Intuition

K K

n

AEncK

n n

14

Authenticity: Intuition

K K

n

AEncK

n n

ADecK ⊥

14

Authenticity: Formalization

n

AEncK

n n

ADecK ⊥

15

Authenticity: Formalization

N, M AEncK N, C N, C’ ADecK ⊥

15

Authenticity: Formalization

N, M AEncK N, C N, C’ ADecK ⊥?

15

Authenticity: Formalization

N, M ? AEncK N, C N, C’ ADecK ⊥?

15

Authenticity: Adversarial Power

N, M AEncK N, C

Plaintext Control:

?

16

Authenticity: Adversarial Power

N, M AEncK N, C

Plaintext Control: Ciphertext-only Random

16

Authenticity: Adversarial Power

N, M AEncK N, C

Plaintext Control: Ciphertext-only Known Plaintext M1, M2, . . . , Mq

16

Authenticity: Adversarial Power

N, M AEncK N, C

Plaintext Control: Ciphertext-only Known Plaintext Chosen Plaintext

16

Authenticity: Adversarial Power

N, M AEncK N, C

Plaintext Control: Ciphertext-only Known Plaintext Chosen Plaintext Nonce Control: Force Uniqueness Allow “Abuse”

16

Non-Example: One-time pad

K M1

17

Non-Example: One-time pad

K M1 + C1

17

Non-Example: One-time pad

K M1 + C1 M2 + C2

17

Non-Example: One-time pad

K M1 + C1 M2 + C2 N2

17

Non-Example: One-time pad

K M1 + C1 M2 + C2 N2 K C2 + M2 N2

17

Non-Example: One-time pad

C K C + M2 N2 Valid?

17

Non-Example: One-time pad

K M M + C

17

Non-Example: One-time pad

K M M + C K C + M2 N2 M M If equal, valid.

17

Non-Example: One-time pad

K M M + C K C + M2 N2 M M If equal, valid. + M’ M’

17

Using a Block Cipher

MM EK C C E −1

K

MM?

18

Using a Block Cipher

NM EK C C E −1

K

NM?

18

Authenticity Only

Confidentiality does not imply Authenticity

19

Authenticity Only

Confidentiality does not imply Authenticity n n

AEncK

n

ADecK ⊥?

19

Authenticity Only

Confidentiality does not imply Authenticity n n

TagK

n

VerifyK ⊥?

19

Example: Authentication With Block Cipher

M EK T

20

Example: Authentication With Block Cipher

M EK T TagK

20

Example: Authentication With Block Cipher

M EK T TagK M′ VerifyK T ∗ EK T ′

?

=

20

Example: Authentication With Block Cipher

M1 ⊕ M2 EK T TagK M′ VerifyK T ∗ EK T ′

?

=

20

Example: Authentication With Block Cipher

EL(M1) ⊕ EL(M2) EK T TagK M′ VerifyK T ∗ EK T ′

?

=

20

Example: Authentication With Block Cipher

EL(N) ⊕ EL(M1) ⊕ EL(M2) EK T TagK M′ VerifyK T ∗ EK T ′

?

=

20

Authentication Algorithm Design

N, M T

PRFK

21

Authentication Algorithm Design

N, M T

PRFK

T ′

21

Authentication Algorithm Design

N, M T

PRFK

T ′

?

= 1

21

Pseudorandom Functions

N, M T

PRFK

T ′

?

= 1

22

Pseudorandom Functions

N, M T PRFK N, M T Random

22

Modes of Operation

PRFK

23

Modes of Operation

PRFK m1 EK c1

23

Modes of Operation

PRFK m1 EK m2 m3 m4

+ + +

EK EK EK EK T

23

Overview

• 1. Block cipher

m1 EK c1

24

Overview

• 1. Block cipher
• 2. Mode of operation

m1 EK c1 m2 m3 m4

+ + +

EK EK EK EK T

24

Overview

• 1. Block cipher
• 2. Mode of operation
• 3. Authentication Algorithm

m1 EK c1 m2 m3 m4

+ + +

EK EK EK EK T N, M T

PRFK

T ′

?

= 1

24

Overview

• 1. Block cipher
• 2. Mode of operation
• 3. Authentication Algorithm
• 4. Authenticated Encryption

m1 EK c1 m2 m3 m4

+ + +

EK EK EK EK T N, M T

PRFK

T ′

?

= 1

24

Overview

• 1. Block cipher
• 2. Mode of operation
• 3. Authentication Algorithm
• 4. Authenticated Encryption
• 5. TLS

m1 EK c1 m2 m3 m4

+ + +

EK EK EK EK T N, M T

PRFK

T ′

?

= 1

24

Example: CBC-MAC

m1 EK c1 m2 m3 m4

+ + +

EK EK EK EK T

25

Example: CBC-MAC

m1 EK c1 m2 m3 m4

+ + +

EK EK EK EK T T EK m′

2

m′

3

m′

4

+ + +

EK EK EK EK T ′

25

Example: CBC-MAC

N EK c1 m2 m3 m4

+ + +

EK EK EK EK T N′ EK m′

2

m′

3

m′

4

+ + +

EK EK EK EK T ′

25

Example: CBC-MAC

m1 EK c1 m2 m3 m4

+ + +

EK EK EK EK EL T T EK m′

2

m′

3

m′

4

+ + +

EK EK EK EK EL T ′

25

Example: Polynomial-based

m1 ×K c1 m2 m3 m4

+ + +

×K ×K ×K ×K EL T ×K m′

2

m′

3

m′

4

+ + +

×K ×K ×K ×K EL T T ′

26

Example: Polynomial-based

m1 ×K c1 m2 m3 m4

+ + +

×K ×K ×K ×K EL T ×K m′

2

m′

3

m′

4

+ + +

×K ×K ×K ×K EL (m1 + T)K 4 + (m2 + m′

2)K 3 + (m3 + m′ 3)K 2 + (m4 + m′ 4)K = 0

T T ′

26

Example: Polynomial-based

m1 ×K c1 m2 m3 m4

+ + +

×K ×K ×K ×K EL T ×K m′

2

m′

3

m′

4

+ + +

×K ×K ×K ×K EL (m1 + T)K 4 + (m2 + m′

2)K 3 + (m3 + m′ 3)K 2 + (m4 + m′ 4)K = 0

N

+

T N′

+

T

26

Example: Polynomial-based

m1 ×K c1 m2 m3 m4

+ + +

×K ×K ×K ×K EL T ×K m′

2

m′

3

m′

4

+ + +

×K ×K ×K ×K EL (m1 + T)K 4 + (m2 + m′

2)K 3 + (m3 + m′ 3)K 2 + (m4 + m′ 4)K = 0

N

+

T N′

+

T TLS: GCM Poly1305

26

Parameters For Modes

• 1. Block cipher

m1 EK m2 m3 m4

+ + +

EK EK EK EK T

27

Parameters For Modes

• 1. Block cipher

1.1 Key size

m1 EK m2 m3 m4

+ + +

EK EK EK EK T

27

Parameters For Modes

• 1. Block cipher

1.1 Key size 1.2 Block size

m1 EK m2 m3 m4

+ + +

EK EK EK EK T

27

Parameters For Modes

• 1. Block cipher

1.1 Key size 1.2 Block size

• 2. Tag size (usually not greater

than Block size)

m1 EK m2 m3 m4

+ + +

EK EK EK EK T

27

Parameters For Modes

• 1. Block cipher

1.1 Key size 1.2 Block size

• 2. Tag size (usually not greater

than Block size) Cipher Block size Key size DES 64 56 AES 128 128, 192, 256 KATAN 32, 48, 64 80

m1 EK m2 m3 m4

+ + +

EK EK EK EK T

27

General Attacks

• 1. Key recovery

◮ Determines how long the data must be protected ◮ Properly designed block cipher: brute force ◮ 80 bit key: long-term protection against small organizations,

very short-term protection against agencies2

2ECRYPT II 2012 key size recommendation

28

General Attacks

• 1. Key recovery

◮ Determines how long the data must be protected ◮ Properly designed block cipher: brute force ◮ 80 bit key: long-term protection against small organizations,

very short-term protection against agencies2

• 2. Forgery

2ECRYPT II 2012 key size recommendation

28

General Attacks

• 1. Key recovery

◮ Determines how long the data must be protected ◮ Properly designed block cipher: brute force ◮ 80 bit key: long-term protection against small organizations,

very short-term protection against agencies2

• 2. Forgery

◮ Bounds how many messages can be processed 2ECRYPT II 2012 key size recommendation

28

General Attacks

• 1. Key recovery

◮ Determines how long the data must be protected ◮ Properly designed block cipher: brute force ◮ 80 bit key: long-term protection against small organizations,

very short-term protection against agencies2

• 2. Forgery

◮ Bounds how many messages can be processed ◮ Properly designed mode: tag guessing 2ECRYPT II 2012 key size recommendation

28

General Attacks

• 1. Key recovery

◮ Determines how long the data must be protected ◮ Properly designed block cipher: brute force ◮ 80 bit key: long-term protection against small organizations,

very short-term protection against agencies2

• 2. Forgery

◮ Bounds how many messages can be processed ◮ Properly designed mode: tag guessing ◮ 32 bit tag: about 4 billion messages can be verified 2ECRYPT II 2012 key size recommendation

28

Scenario

10,000

29

Scenario

10,000 10 MiB

29

Scenario

10,000 10 MiB

• 1. 32 bit block cipher (KATAN): 80 bit key and 32 bit tag suffice

29

Scenario

10,000 10 MiB

• 1. 32 bit block cipher (KATAN): 80 bit key and 32 bit tag suffice
• 2. Additional restriction: 256 KiB of data per key

29

Scenario

10,000 10 MiB

• 1. 32 bit block cipher (KATAN): 80 bit key and 32 bit tag suffice
• 2. Additional restriction: 256 KiB of data per key
• 3. 1 vulnerability per device per key: 40 key distributions

29

Scenario

10,000 10 MiB

• 1. 32 bit block cipher (KATAN): 80 bit key and 32 bit tag suffice
• 2. Additional restriction: 256 KiB of data per key
• 3. 1 vulnerability per device per key: 40 key distributions
• 4. 1/10000 devices vulnerable: switch after 2 KiB, more than

1000 key distributions

29

PRF Mode Reduction

m1 m2 m3 m4

+ + +

EK EK EK EK T

30

PRF Mode Reduction

m1 m2 m3 m4

+ + +

EK EK EK EK T EK vs π

30

PRF Mode Reduction

m1 m2 m3 m4

+ + +

π π π π T EK vs π (PRF vs Random) ≤ (PRFEK vs PRFπ) + (PRFπ vs Random)

30

PRF Mode Reduction

m1 m2 m3 m4

+ + +

π π π π T EK vs π (PRF vs Random) ≤ (PRFEK vs PRFπ) + (PRFπ vs Random) + Mode insecurity Block cipher insecurity Insecurity ≤

30

PRF Mode Reduction

m1 m2 m3 m4

+ + +

π π π π T EK vs π (PRF vs Random) ≤ (PRFEK vs PRFπ) + (PRFπ vs Random) + Mode insecurity Block cipher insecurity Insecurity ≤ Key Recovery

30

PRF Mode Reduction

m1 m2 m3 m4

+ + +

π π π π T EK vs π (PRF vs Random) ≤ (PRFEK vs PRFπ) + (PRFπ vs Random) + Mode insecurity Block cipher insecurity Insecurity ≤ Key Recovery Tag Guessing

30

PRF Mode Reduction

m1 m2 m3 m4

+ + +

π π π π T EK vs π (PRF vs Random) ≤ (PRFEK vs PRFπ) + (PRFπ vs Random) + Mode insecurity Block cipher insecurity Insecurity ≤ Key Recovery Tag Guessing “Collisions”

30

Example: Reasoning About Collisions

m1 m2 m3 m4

+ + +

π π π π T m′

1

m′

2

m′

3

m′

4

+ + +

π π π π T ′

31

Example: Reasoning About Collisions

m1 m2 m3 m4

+ + +

π π π π T m′

1

m′

2

m′

3

m′

4

+ + +

π π π π T ′

31

Example: Reasoning About Collisions

m1 m2 m3 m4

+ + +

π π π π T m′

1

m′

2

m′

3

m′

4

+ + +

π π π π T ′

31

Example: Reasoning About Collisions

m1 m2 m3 m4

+ + +

π π π π T m1 m2 m3 m′

4

+ + +

π π π π T ′

31

Example: Reasoning About Collisions

m1 m2 m3 m4

+ + +

π π π π T m′

1

m′

2

m′

3

m′

4

+ + +

π π π π T ′

31

Mode Insecurity Bounds

Mode Insecurity ≤ q2ℓ2 2n , (1) with n Block size q Number of queries ℓ Query length in blocks

32

Mode Insecurity Bounds

Mode Insecurity ≤ q2ℓ2 2n , (1) with n Block size q Number of queries ℓ Query length in blocks KATAN: n = 32 q2ℓ2 232 ≤ 1

• r

qℓ = 216 , (2) ≈ 256 KiB

32

How Long Can The Messages Be?

1 2 3 4 5 6 7 ·104 20 21 22 23 24 25 26 27 28 29 210 q2ℓ2 = 232 Number of queries — q Message Block Length — ℓ

33

Improvements?

Mode Insecurity ≤ q2ℓ2 2n , (3)

34

Improvements?

Mode Insecurity ≤ q2ℓ2 2n , (3)

m1 m2 m3 m4

+ + +

π π π π T m′

1

m′

2

m′

3

m′

4

+ + +

π π π π T

34

Improvements?

q2 2n ≤ Mode Insecurity ≤ q2ℓ2 2n , (3)

m1 m2 m3 m4

+ + +

π π π π T m′

1

m′

2

m′

3

m′

4

+ + +

π π π π T

34

Improvements?

q2 2n ≤ Mode Insecurity ≤ q2ℓ 2n , (3)

m1 m2 m3 m4

+ + +

π π π π T m′

1

m′

2

m′

3

m′

4

+ + +

π π π π T

34

How Long Can The Messages Be? (2)

1 2 3 4 5 6 7 ·104 21 24 27 210 213 216 219 q2ℓ2 = 232 q2ℓ = 232 Number of queries — q Message Block Length — ℓ

35

Scenario Improved

10,000 10 MiB

• 1. Additional restriction: 256 KiB of data per key
• 2. 1 vulnerability per device per key: 40 key distributions
• 3. 1/10000 devices vulnerable: switch after 2 KiB, more than

1000 key distributions

36

Scenario Improved

10,000 10 MiB

• 1. Additional restriction: 16 MiB of data per key
• 2. 1 vulnerability per device per key: 40 key distributions
• 3. 1/10000 devices vulnerable: switch after 2 KiB, more than

1000 key distributions

36

Scenario Improved

10,000 10 MiB

• 1. Additional restriction: 16 MiB of data per key (if q ≤ 1000)
• 2. 1 vulnerability per device per key: 40 key distributions
• 3. 1/10000 devices vulnerable: switch after 2 KiB, more than

1000 key distributions

36

Scenario Improved

10,000 10 MiB

• 1. Additional restriction: 16 MiB of data per key (if q ≤ 1000)
• 2. 1 vulnerability per device per key: no vulnerabilities (if

q ≤ 1000)

• 3. 1/10000 devices vulnerable: switch after 2 KiB, more than

1000 key distributions

36

Scenario Improved

10,000 10 MiB

• 1. Additional restriction: 16 MiB of data per key (if q ≤ 1000)
• 2. 1 vulnerability per device per key: no vulnerabilities (if

q ≤ 1000)

• 3. 1/10000 devices vulnerable: switch after 4 KiB, more than

1000 key distributions

36

Scenario Improved

10,000 10 MiB

• 1. Additional restriction: 16 MiB of data per key (if q ≤ 1000)
• 2. 1 vulnerability per device per key: no vulnerabilities (if

q ≤ 1000)

• 3. 1/10000 devices vulnerable: switch after 4 KiB, more than

500 key distributions

36

Scenario Improved

10,000 10 MiB

• 1. Additional restriction: 16 MiB of data per key (if q ≤ 1000)
• 2. 1 vulnerability per device per key: no vulnerabilities (if

q ≤ 1000)

• 3. 1/10000 devices vulnerable: switch after 4 KiB, more than

500 key distributions , and q ≤ 1000 and ℓ = 1

36

Can We Do Better?

q2 2n ≤ Mode Insecurity ≤ q2ℓ 2n , (4)

37

Can We Do Better?

q2 2n ≤ Mode Insecurity ≤ q2ℓ 2n , (4)

• 1. Some modes have ℓ/2n attacks; q2ℓ bound might be optimal

37

Can We Do Better?

q2 2n ≤ Mode Insecurity ≤ q2ℓ 2n , (4)

• 1. Some modes have ℓ/2n attacks; q2ℓ bound might be optimal
• 2. Other modes designed to reduce the impact of ℓ:

37

Can We Do Better?

q2 2n ≤ Mode Insecurity ≤ q2ℓ 2n , (4)

• 1. Some modes have ℓ/2n attacks; q2ℓ bound might be optimal
• 2. Other modes designed to reduce the impact of ℓ:

q2 2n + q2ℓ2 22n (5)

37

Can We Do Better?

q2 2n ≤ Mode Insecurity ≤ q2ℓ 2n , (4)

• 1. Some modes have ℓ/2n attacks; q2ℓ bound might be optimal
• 2. Other modes designed to reduce the impact of ℓ:

q2 2n + q2ℓ2 22n (5)

• r even

q2 2n (6)

37

Can We Do Better?

q2 2n ≤ Mode Insecurity ≤ q2ℓ 2n , (4)

• 1. Some modes have ℓ/2n attacks; q2ℓ bound might be optimal
• 2. Other modes designed to reduce the impact of ℓ:

q2 2n + q2ℓ2 22n (5)

• r even

q2 2n (6)

• 3. No known restriction on ℓ

37

How Long Can The Messages Be? (3)

1 2 3 4 5 6 7 ·104 21 25 29 213 217 221 225 q2ℓ2 = 232 q2ℓ = 232 Number of queries — q Message Block Length — ℓ

38

How Long Can The Messages Be? (3)

1 2 3 4 5 6 7 ·104 21 25 29 213 217 221 225 232q2 + q2ℓ2 = 264 q2ℓ2 = 232 q2ℓ = 232 Number of queries — q Message Block Length — ℓ

38

How Long Can The Messages Be? (3)

1 2 3 4 5 6 7 ·104 21 25 29 213 217 221 225 q2 = 232 232q2 + q2ℓ2 = 264 q2ℓ2 = 232 q2ℓ = 232 Number of queries — q Message Block Length — ℓ

38

Scenario Improved Further

10,000 10 MiB

• 1. Additional restriction: 32 MiB of data per key (if q ≤ 1000)

39

Scenario Improved Further

10,000 10 MiB

• 1. Additional restriction: 32 MiB of data per key (if q ≤ 216 and

ℓ ≤ 216)

39

Scenario Improved Further

10,000 10 MiB

• 1. Additional restriction: 8 GiB of data per key (if q ≤ 216 and

ℓ ≤ 216)

39

Scenario Improved Further

10,000 10 MiB

• 1. Additional restriction: 8 GiB of data per key (if q ≤ 216 and

ℓ ≤ 216)

• 2. No key redistributions necessary.

39

Summary

• 1. Necessity of chosen ciphertext security
• 2. Authenticated encryption: combination of confidentiality and

authenticity

• 3. Limits imposed by parameters

Not the end of the story

• 1. Robustness to implementation errors
• 2. Replay attacks
• 3. Denial of service attacks
• 4. . . .

40

Summary

• 1. Necessity of chosen ciphertext security
• 2. Authenticated encryption: combination of confidentiality and

authenticity

• 3. Limits imposed by parameters

Not the end of the story

• 1. Robustness to implementation errors
• 2. Replay attacks
• 3. Denial of service attacks
• 4. . . .

Thank you for your attention.

40