authenticated encryption requirements
play

Authenticated Encryption Requirements David McGrew mcgrew@cisco.com - PowerPoint PPT Presentation

Nov 18, 2023 •24 likes •284 views

Desiderata Current AEAD use Evolution Conclusions Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated Ciphers, 2012 Desiderata Current AEAD use Evolution Conclusions Many desirable attributes

  1. Desiderata Current AEAD use Evolution Conclusions Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated Ciphers, 2012

  2. Desiderata Current AEAD use Evolution Conclusions Many desirable attributes High security Computationally cheap Low latency Compact in software and/or hardware Re-use existing cryptographic components Randomized (no nonce) Misuse resistance Side channel resistance Forward security Postquantum Key agility Beyond birthday bound security Message length hiding

  3. Desiderata Current AEAD use Evolution Conclusions Domains of use message size data rates goals Links 40 to 0.6 to low latency 2000 bytes 100 Gbit Internet 40 to 1 to 10 Mbit 2000 bytes Low power 1 to 100 bytes 20 to low expansion wireless 250 Kbits compact Data 512 to 400 Mbit randomized? at rest 4096 bytes

  4. Desiderata Current AEAD use Evolution Conclusions AEAD in standards AES-CCM 802.11i , 802.15 , ESP , TLS protocols AES-GCM 802.1AE (MACsec) , INCITS Fibre Channel (FC-SP) , IKE , ESP , TLS , SSH, and SRTP , P1619.1 and LTO-4 tape storage; Suite B AES-OCB 802.11i Camellia-GCM TLS ARIA-GCM TLS SEED-GCM TLS

  5. Desiderata Current AEAD use Evolution Conclusions Issues CCM Pre-encryption plaintext buffering

  6. Desiderata Current AEAD use Evolution Conclusions Issues CCM Pre-encryption plaintext buffering but short messages used in practice

  7. Desiderata Current AEAD use Evolution Conclusions Issues CCM Pre-encryption plaintext buffering but short messages used in practice Serialized

  8. Desiderata Current AEAD use Evolution Conclusions Issues CCM Pre-encryption plaintext buffering but short messages used in practice Serialized GCM Authentication weaker for longer messages

  9. Desiderata Current AEAD use Evolution Conclusions Issues CCM Pre-encryption plaintext buffering but short messages used in practice Serialized GCM Authentication weaker for longer messages but short messages used in practice

  10. Desiderata Current AEAD use Evolution Conclusions Issues CCM Pre-encryption plaintext buffering but short messages used in practice Serialized GCM Authentication weaker for longer messages but short messages used in practice Nonce hashing imperfect

  11. Desiderata Current AEAD use Evolution Conclusions Issues CCM Pre-encryption plaintext buffering but short messages used in practice Serialized GCM Authentication weaker for longer messages but short messages used in practice Nonce hashing imperfect but unused in practice

  12. Desiderata Current AEAD use Evolution Conclusions Issues CCM Pre-encryption plaintext buffering but short messages used in practice Serialized GCM Authentication weaker for longer messages but short messages used in practice Nonce hashing imperfect but unused in practice Compact software implementations difficult

  13. Desiderata Current AEAD use Evolution Conclusions Issues CCM Pre-encryption plaintext buffering but short messages used in practice Serialized GCM Authentication weaker for longer messages but short messages used in practice Nonce hashing imperfect but unused in practice Compact software implementations difficult Nonce re-use, short tags

  14. Desiderata Current AEAD use Evolution Conclusions GCM � IV � 0 31 1 if len ( IV ) = w − 32 Y 0 = GHASH ( H , {} , IV ) otherwise. Y i = incr ( Y i − 1 ) for i = 1 , . . . , n C i = P i ⊕ E ( K , Y i ) for i = 1 , . . . , n − 1 C ∗ n = P ∗ n ⊕ MSB u ( E ( K , Y n )) T = MSB t ( GHASH ( H , A , C ) ⊕ E ( K , Y 0 )) H = E ( K , 0 w )

  15. Desiderata Current AEAD use Evolution Conclusions GCM evolution? � IV � 0 31 1 if len ( IV ) = w − 32 Y 0 = GHASH ( H , {} , IV ) otherwise. Y i = incr ( Y i − 1 ) for i = 1 , . . . , n C i = P i ⊕ E ( K , Y i ) for i = 1 , . . . , n − 1 C ∗ n = P ∗ n ⊕ MSB u ( E ( K , Y n )) T = MSB t ( HASH ( E ( K , Y 0 ) , A , C )) per-packet hash key secure against nonce reuse, short authentication tags

  16. Desiderata Current AEAD use Evolution Conclusions GCM evolution? � IV � 0 31 1 if len ( IV ) = w − 32 Y 0 = GHASH ( H , {} , IV ) otherwise. Y i = incr ( Y i − 1 ) for i = 1 , . . . , n C i = P i ⊕ E ( K , Y i ) for i = 1 , . . . , n − 1 C ∗ n = P ∗ n ⊕ MSB u ( E ( K , Y n )) T = MSB t ( HASH ( E ( K , Y 0 ) , A , C )) per-packet hash key secure against nonce reuse, short authentication tags HASH can be software friendly (e.g. [RWB]) or E -based

  17. Desiderata Current AEAD use Evolution Conclusions GCM evolution? � IV � 0 31 1 if len ( IV ) = w − 32 Y 0 = GHASH ( H , {} , IV ) otherwise. Y i = incr ( Y i − 1 ) for i = 1 , . . . , n C i = P i ⊕ E ( K , Y i ) for i = 1 , . . . , n − 1 C ∗ n = P ∗ n ⊕ MSB u ( E ( K , Y n )) T = MSB t ( HASH ( E ( K , Y 0 ) , A , C )) per-packet hash key secure against nonce reuse, short authentication tags HASH can be software friendly (e.g. [RWB]) or E -based Broadens applicability, but may not address all domains

  18. Desiderata Current AEAD use Evolution Conclusions Recommendations

  19. Desiderata Current AEAD use Evolution Conclusions Recommendations Encourage exploration of design space

  20. Desiderata Current AEAD use Evolution Conclusions Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . .

  21. Desiderata Current AEAD use Evolution Conclusions Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use

  22. Desiderata Current AEAD use Evolution Conclusions Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use Low power wireless

  23. Desiderata Current AEAD use Evolution Conclusions Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use Low power wireless Document requirements within each domain

  24. Desiderata Current AEAD use Evolution Conclusions Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use Low power wireless Document requirements within each domain Identify critical requirements

  25. Desiderata Current AEAD use Evolution Conclusions Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use Low power wireless Document requirements within each domain Identify critical requirements Side channel resistance

  26. Desiderata Current AEAD use Evolution Conclusions Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use Low power wireless Document requirements within each domain Identify critical requirements Side channel resistance Available royalty-free worldwide

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Chapter 12: Evolution of Low Mass Stars Chapter 12 Reading Assignment due Wednesday at 10:45am

Chapter 12: Evolution of Low Mass Stars Chapter 12 Reading Assignment due Wednesday at 10:45am

Chapter 12: Evolution of Low Mass Stars Chapter 12 Reading Assignment due Wednesday at 10:45am Are your grades in Canvas correct??? In-class/HW Assignment due now! Midterms available up front Turn in extra credit planetarium reports up front

548 views • 41 slides
Generalization via Modularity Deepak Chris Trevor Phillip Alyosha Pathak* Lu* Darrell

Generalization via Modularity Deepak Chris Trevor Phillip Alyosha Pathak* Lu* Darrell

Learning to Control Self-Assembling Morphologies Generalization via Modularity Deepak Chris Trevor Phillip Alyosha Pathak* Lu* Darrell Isola Efros * equal contribution NeurIPS 2019 How do we train a robot? Multiple tasks

685 views • 49 slides
Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica

Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica

Techniques for Evolution-Aware Runtime Verification Owolabi Legunsen, Yi Zhang, Milica Hadi-Tanovi, Grigore Rou, Darko Marinov ICST 2019 4/26/2019 CCF-1421503, CCF-1421575, CCF-1763788, CNS-1619275, CNS-1646305, CNS-1740916 Runtime

448 views • 30 slides
Evolution to 5G: An operator's perspective Dr. Ivo Maljevic TELUS team IEEE 5G Summit | Nov

Evolution to 5G: An operator's perspective Dr. Ivo Maljevic TELUS team IEEE 5G Summit | Nov

Evolution to 5G: An operator's perspective Dr. Ivo Maljevic TELUS team IEEE 5G Summit | Nov 2015 2 Cellular Standards Evolution ? 1980 1G 1990 2G 2000 3G 2010 - 4G 2020 5G Analog systems Digital

225 views • 11 slides
The Evolution of Microservices Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures

The Evolution of Microservices Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures

The Evolution of Microservices Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures June 2016 What does @adrianco do? Maintain Relationship with Presentations at Technology Due Cloud Vendors Conferences Diligence on Deals

1.15k views • 66 slides
Evolution of Connections in SHRUTI Networks Joe Townsend, Ed Keedwell and Antony Galton

Evolution of Connections in SHRUTI Networks Joe Townsend, Ed Keedwell and Antony Galton

Evolution of Connections in SHRUTI Networks Joe Townsend, Ed Keedwell and Antony Galton Motivation Neural-Symbolic Reasoning: Adaptable representations of logic programs in neural networks. Can help us understand how reasoning might be

1.05k views • 40 slides
Large-scale Cancer Genomics Data Analysis David Haussler Center for Biomolecular Science and

Large-scale Cancer Genomics Data Analysis David Haussler Center for Biomolecular Science and

Large-scale Cancer Genomics Data Analysis David Haussler Center for Biomolecular Science and Engineering, UC Santa Cruz Cancer Genomics Hub Being built to store BAM & VCF for TCGA, TARGET and CGAP/CGCI projects Designed for 25,000

413 views • 29 slides
Introduction to Software Evolution Ashim Shahi Jurgen Vinju Anastasia Izmaylova Magiel

Introduction to Software Evolution Ashim Shahi Jurgen Vinju Anastasia Izmaylova Magiel

Introduction to Software Evolution Ashim Shahi Jurgen Vinju Anastasia Izmaylova Magiel Bruntink Atze van der Ploeg Vadim Zaytsev Davy Landman Michael Steindorfer 1 Introduction to Software Evolution Where are you? International

1.21k views • 82 slides

More recommend