Authenticated Encryption Requirements David McGrew mcgrew@cisco.com - - PowerPoint PPT Presentation

authenticated encryption requirements
SMART_READER_LITE
LIVE PREVIEW

Authenticated Encryption Requirements David McGrew mcgrew@cisco.com - - PowerPoint PPT Presentation

Nov 18, 2023 24 likes •286 views

Desiderata Current AEAD use Evolution Conclusions Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated Ciphers, 2012 Desiderata Current AEAD use Evolution Conclusions Many desirable attributes

slide-1
SLIDE 1

Desiderata Current AEAD use Evolution Conclusions

Authenticated Encryption Requirements

David McGrew mcgrew@cisco.com Directions in Authenticated Ciphers, 2012

slide-2
SLIDE 2

Desiderata Current AEAD use Evolution Conclusions

Many desirable attributes High security Computationally cheap Low latency Compact in software and/or hardware Re-use existing cryptographic components Randomized (no nonce) Misuse resistance Side channel resistance Forward security Postquantum Key agility Beyond birthday bound security Message length hiding

slide-3
SLIDE 3

Desiderata Current AEAD use Evolution Conclusions

Domains of use message size data rates goals Links 40 to 0.6 to low latency 2000 bytes 100 Gbit Internet 40 to 1 to 10 Mbit 2000 bytes Low power 1 to 100 bytes 20 to low expansion wireless 250 Kbits compact Data 512 to 400 Mbit randomized? at rest 4096 bytes

slide-4
SLIDE 4

Desiderata Current AEAD use Evolution Conclusions

AEAD in standards AES-CCM 802.11i, 802.15, ESP, TLS protocols AES-GCM 802.1AE (MACsec), INCITS Fibre Channel (FC-SP), IKE, ESP, TLS, SSH, and SRTP , P1619.1 and LTO-4 tape storage; Suite B AES-OCB 802.11i Camellia-GCM TLS ARIA-GCM TLS SEED-GCM TLS

slide-5
SLIDE 5

Desiderata Current AEAD use Evolution Conclusions

Issues CCM Pre-encryption plaintext buffering

slide-6
SLIDE 6

Desiderata Current AEAD use Evolution Conclusions

Issues CCM Pre-encryption plaintext buffering

but short messages used in practice

slide-7
SLIDE 7

Desiderata Current AEAD use Evolution Conclusions

Issues CCM Pre-encryption plaintext buffering

but short messages used in practice

Serialized

slide-8
SLIDE 8

Desiderata Current AEAD use Evolution Conclusions

Issues CCM Pre-encryption plaintext buffering

but short messages used in practice

Serialized GCM Authentication weaker for longer messages

slide-9
SLIDE 9

Desiderata Current AEAD use Evolution Conclusions

Issues CCM Pre-encryption plaintext buffering

but short messages used in practice

Serialized GCM Authentication weaker for longer messages

but short messages used in practice

slide-10
SLIDE 10

Desiderata Current AEAD use Evolution Conclusions

Issues CCM Pre-encryption plaintext buffering

but short messages used in practice

Serialized GCM Authentication weaker for longer messages

but short messages used in practice

Nonce hashing imperfect

slide-11
SLIDE 11

Desiderata Current AEAD use Evolution Conclusions

Issues CCM Pre-encryption plaintext buffering

but short messages used in practice

Serialized GCM Authentication weaker for longer messages

but short messages used in practice

Nonce hashing imperfect

but unused in practice

slide-12
SLIDE 12

Desiderata Current AEAD use Evolution Conclusions

Issues CCM Pre-encryption plaintext buffering

but short messages used in practice

Serialized GCM Authentication weaker for longer messages

but short messages used in practice

Nonce hashing imperfect

but unused in practice

Compact software implementations difficult

slide-13
SLIDE 13

Desiderata Current AEAD use Evolution Conclusions

Issues CCM Pre-encryption plaintext buffering

but short messages used in practice

Serialized GCM Authentication weaker for longer messages

but short messages used in practice

Nonce hashing imperfect

but unused in practice

Compact software implementations difficult Nonce re-use, short tags

slide-14
SLIDE 14

Desiderata Current AEAD use Evolution Conclusions

GCM Y0 =

  • IV0311

if len(IV) = w − 32 GHASH(H, {}, IV)

  • therwise.

Yi = incr(Yi−1) for i = 1, . . . , n Ci = Pi ⊕ E(K, Yi) for i = 1, . . . , n − 1 C∗

n = P∗ n ⊕ MSBu(E(K, Yn))

T = MSBt(GHASH(H, A, C) ⊕ E(K, Y0)) H = E(K, 0w)

slide-15
SLIDE 15

Desiderata Current AEAD use Evolution Conclusions

GCM evolution? Y0 =

  • IV0311

if len(IV) = w − 32 GHASH(H, {}, IV)

  • therwise.

Yi = incr(Yi−1) for i = 1, . . . , n Ci = Pi ⊕ E(K, Yi) for i = 1, . . . , n − 1 C∗

n = P∗ n ⊕ MSBu(E(K, Yn))

T = MSBt(HASH(E(K, Y0), A, C)) per-packet hash key secure against nonce reuse, short authentication tags

slide-16
SLIDE 16

Desiderata Current AEAD use Evolution Conclusions

GCM evolution? Y0 =

  • IV0311

if len(IV) = w − 32 GHASH(H, {}, IV)

  • therwise.

Yi = incr(Yi−1) for i = 1, . . . , n Ci = Pi ⊕ E(K, Yi) for i = 1, . . . , n − 1 C∗

n = P∗ n ⊕ MSBu(E(K, Yn))

T = MSBt(HASH(E(K, Y0), A, C)) per-packet hash key secure against nonce reuse, short authentication tags HASH can be software friendly (e.g. [RWB]) or E-based

slide-17
SLIDE 17

Desiderata Current AEAD use Evolution Conclusions

GCM evolution? Y0 =

  • IV0311

if len(IV) = w − 32 GHASH(H, {}, IV)

  • therwise.

Yi = incr(Yi−1) for i = 1, . . . , n Ci = Pi ⊕ E(K, Yi) for i = 1, . . . , n − 1 C∗

n = P∗ n ⊕ MSBu(E(K, Yn))

T = MSBt(HASH(E(K, Y0), A, C)) per-packet hash key secure against nonce reuse, short authentication tags HASH can be software friendly (e.g. [RWB]) or E-based Broadens applicability, but may not address all domains

slide-18
SLIDE 18

Desiderata Current AEAD use Evolution Conclusions

Recommendations

slide-19
SLIDE 19

Desiderata Current AEAD use Evolution Conclusions

Recommendations Encourage exploration of design space

slide-20
SLIDE 20

Desiderata Current AEAD use Evolution Conclusions

Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . .

slide-21
SLIDE 21

Desiderata Current AEAD use Evolution Conclusions

Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use

slide-22
SLIDE 22

Desiderata Current AEAD use Evolution Conclusions

Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use

Low power wireless

slide-23
SLIDE 23

Desiderata Current AEAD use Evolution Conclusions

Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use

Low power wireless

Document requirements within each domain

slide-24
SLIDE 24

Desiderata Current AEAD use Evolution Conclusions

Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use

Low power wireless

Document requirements within each domain Identify critical requirements

slide-25
SLIDE 25

Desiderata Current AEAD use Evolution Conclusions

Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use

Low power wireless

Document requirements within each domain Identify critical requirements

Side channel resistance

slide-26
SLIDE 26

Desiderata Current AEAD use Evolution Conclusions

Recommendations Encourage exploration of design space Avoid over focus on performance, compactness, . . . Identify domains of use

Low power wireless

Document requirements within each domain Identify critical requirements

Side channel resistance Available royalty-free worldwide