authenticated encryption with variable stretch
play

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 - PowerPoint PPT Presentation

Feb 03, 2024 •250 likes •696 views

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

  1. Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizár 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by Microsoft Research D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 1 / 22

  2. Authenticated Encryption ??!! K K #RJ%K *G%FS M D M E ⊥ A A ◮ Confidentiality+Authenticity/Integrity for M [Bellare,Namprempre 00],[Katz,Yung 00] ◮ Authenticity for A [Rogaway 02] D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 2 / 22

  3. Authenticated Encryption ??!! Need redundancy K K #RJ%K *G%FS M D M E ⊥ A A ◮ Confidentiality+Authenticity/Integrity for M [Bellare,Namprempre 00],[Katz,Yung 00] ◮ Authenticity for A [Rogaway 02] D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 2 / 22

  4. Ciphertext Epxansion a.k.a. Stretch Redundancy in AE: ciphertext expansion M E K τ bits C Ciphertext expanded by τ bits ⇒ Expected cost of forgery: ≈ 2 τ queries D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 3 / 22

  5. How to Stretch? w.r.t. the Syntax of Security Notions Group 1: (Mostly) constant τ , parameter of the scheme � nAE [Rogaway, Bellare, Black, Krovetz 01] � AEAD [Rogaway 02] � DAE and MRAE [Rogaway, Shrimpton 06] � OAE [Fleischmann, Forler, Lucks 12] � AE-RUP [Andreeva, Bogdanov, Luykx, Mennink, Mouha, Yasuda 14] � OAE2 [Hoang, Reyhanitabar, Rogaway, V 15] Group 2: User-selectable τ per query � RAE [Hoang, Krovetz, Rogaway 15] D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 4 / 22

  6. How to Stretch? w.r.t. the Syntax of Security Notions Group 1: (Mostly) constant τ , parameter of the scheme � nAE [Rogaway, Bellare, Black, Krovetz 01] � AEAD [Rogaway 02] � DAE and MRAE [Rogaway, Shrimpton 06] � OAE [Fleischmann, Forler, Lucks 12] � AE-RUP [Andreeva, Bogdanov, Luykx, Mennink, Mouha, Yasuda 14] � OAE2 [Hoang, Reyhanitabar, Rogaway, V 15] ◮ Different tag lengths ⇒ independent keys Group 2: User-selectable τ per query � RAE [Hoang, Krovetz, Rogaway 15] ◮ “Best possible security”, hard to achieve ◮ Cannot be “online” ◮ Complicated, difficult to implement D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 4 / 22

  7. Stretch-Misuse Group 1: Constant τ , parameter of the scheme � nAE � AEAD � DAE and MRAE � OAE � AE-RUP � OAE2 D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 5 / 22

  8. Stretch-Misuse Group 1: Constant τ , parameter of the scheme � nAE � AEAD � DAE and MRAE � OAE � AE-RUP � OAE2 What happens if stretch is (mis)treated as a user input? D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 5 / 22

  9. Stretch-Misuse Why Should we Consider It? Because it is tempting: Handling multiple keys is annoying “Sliding-scale” authenticity as a feature � ( τ bits of stretch ⇒ τ bits of authenticity for individual messages ) � E.g. moderate τ 1 for most messages and huge τ 2 for critical Saving resources in constrained systems � E.g. sensor nodes: wireless communication is expensive � Reducing security to increase battery life (key exchange way too expensive) M E K C D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 6 / 22

  10. Stretch-Misuse Why Should we Consider It? Because it is easy to do: Most often: a default authentication tag that is truncated M N Enc K A n bits trunc τ bits C -core T D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 6 / 22

  11. Stretch-Misuse Why Should we Consider It? Because it is easy to do: Most often: a default authentication tag that is truncated M N Enc K A n bits trunc τ bits C -core T Because it is a matter of “when”, not “if” a misuse occurs Past examples of this for other misuses D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 6 / 22

  12. Stretch-Misuse Why Should we Consider It? Because it is easy to do: Most often: a default authentication tag that is truncated M N Enc K A n bits trunc τ bits C -core T Because it is a matter of “when”, not “if” a misuse occurs Past examples of this for other misuses . . . and because there are attacks D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 6 / 22

  13. Nonce-based AE with Associated Data (AEAD) N N M A Enc C A Dec or ⊥ M C K K Enc , Dec : deterministic algorithms N : Nonce (public message number) that must not repeat A : Associated Data that must be authenticated, but not encrypted M : Plaintext that must be encrypted and authenticated C : Ciphertext (stretched by τ bits) K : Secret key D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 7 / 22

  14. Nonce-based AE with Associated Data (AEAD) N N M A Enc C A Dec or ⊥ M C K K Enc , Dec : deterministic algorithms N : Nonce (public message number) that must not repeat A : Associated Data that must be authenticated, but not encrypted M : Plaintext that must be encrypted and authenticated C : Ciphertext (stretched by τ bits) K : Secret key D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 7 / 22

  15. Nonce-based AE with Associated Data (AEAD) N N M A Enc C A Dec or ⊥ M C K K Enc , Dec : deterministic algorithms N : Nonce (public message number) that must not repeat A : Associated Data that must be authenticated, but not encrypted M : Plaintext that must be encrypted and authenticated C : Ciphertext (stretched by τ bits) K : Secret key D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 7 / 22

  16. Nonce-based AE with Associated Data N never repeats, ( N , A , C ) not trivially correct: N, A, M Enc K ( · , · , · ) $( · , · , · ) A C C Dec K ( · , · , · ) N, A, C ⊥ ( · , · , · ) M/ ⊥ ⊥ � � � � A Enc K ( · , · , · ) , Dec K ( · , · , · ) ⇒ 1 A $( · , · , · ) , ⊥ ( · , · , · ) ⇒ 1 Adv aead ( A ) = Pr − Pr Π D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 8 / 22

  17. Nonce-based AE with Associated Data N never repeats, ( N , A , C ) not trivially correct: N, A, M Enc K ( · , · , · ) $( · , · , · ) A C C Dec K ( · , · , · ) N, A, C ⊥ ( · , · , · ) M/ ⊥ ⊥ . . . and the ciphertext expansion is assumed to be constant � � � � A Enc K ( · , · , · ) , Dec K ( · , · , · ) ⇒ 1 A $( · , · , · ) , ⊥ ( · , · , · ) ⇒ 1 Adv aead ( A ) = Pr − Pr Π D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 8 / 22

  18. Trivial Tag Length-Variation Attack on AEAD “Versions of OCB with different tag lengths exist, tag truncation trivially correct if used under same key” [Manger 13, CFRG discussion] Query C � T ← OCB [ 128 ] K ( N , A , M ) M 1 for target ( N , A , M ) N Enc K Compute T ′ ← trunc ( T , 64 ) A n bits 2 “Forge” trunc 3 C � T ′ ← OCB [ 64 ] − 1 τ bits K ( N , A , C � T ′ ) C -core T Obvious property, but . . . . . . contradicts the intuition of τ -bit resistance to forgery D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 9 / 22

  19. Trivial Tag Length-Variation Attack on AEAD “Would it be better if the algorithms with different tag lengths could not affect each other?” Probably! Ad-hoc solutions proposed: OCB adopts fix proposed by Manger: “just drop the tag length into the nonce” Nandi proposes to do the same with AD CLOC&SILC, OTR and OMD heuristically tweaked for round 2 of CAESAR competition D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 9 / 22

  20. Gradual Forgery for Ciphertext Translation Ciphertext Translation Message-only core + AD-“hash” | M | + τ bits N τ bits E K C M M C 0 | M | H K A n bits message-ciphertext already “looks random” H K can be AXU D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 10 / 22

  21. b b b Gradual Forgery for Ciphertext Translation The Attack Original attack: gradual forgery on OMD [Dobraunig, Eichlseder, Mendel, Schläffer 14] Access to Enc and Dec oracles with stretch τ 1 < τ 2 < . . . < τ g using the same key, scheme with ciphertext translation structure Forgery for N , A ∗ , M with τ g bits of stretch A Enc K [ τ 1 ]( · , · , · ) Enc K [ τ 2 ]( · , · , · ) Enc K [ τ g − 1 ]( · , · , · ) Enc K [ τ g ]( · , · , · ) Dec K [ τ 1 ]( · , · , · ) Dec K [ τ 2 ]( · , · , · ) Dec K [ τ g − 1 ]( · , · , · ) Dec K [ τ g ]( · , · , · ) D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 11 / 22

  22. Gradual Forgery for Ciphertext Translation The Attack Pick some A � = A ∗ 1 Get C � T ← Enc [ τ 1 ]( N , A , M ) 2 Find δ ∈ { 0 , 1 } τ 1 s.t. Dec [ τ 1 ]( N , A ∗ , C � ( T ⊕ δ )) succeeds 3 Set ∆ A ← δ 4 ⊲ ∆ A = trunc ( H K ( A ) ⊕ H K ( A ∗ ) , τ 1 ) N τ 1 bits E K C M M C 0 | M | H K ∆ A A n bits N E K C M M C 0 | M | A ∗ H K D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 11 / 22

  23. Gradual Forgery for Ciphertext Translation The Attack Get C � T ← Enc [ τ 2 ]( N , A , M ) 5 Find δ ∈ { 0 , 1 } τ 2 − τ 1 s.t. Dec [ τ g ]( N , A ∗ , C � ( T ⊕ ∆ A � δ )) succeeds 6 Set ∆ A ← ∆ A � δ 7 N τ 1 , τ 2 − τ 1 bits E K C M M C 0 | M | H K ∆ A � δ A n bits N E K C M M C 0 | M | H K A ∗ D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 11 / 22

  24. Gradual Forgery for Ciphertext Translation The Attack • • • f Get C � T ← Enc [ τ g ]( N , A , M ) i Find δ ∈ { 0 , 1 } τ g − 1 − τ g s.t. Dec [ τ g ]( N , A ∗ , C � ( T ⊕ δ )) succeeds n Output forgery N , A ∗ , C � ( ∆ A � δ ) D. Vizár (EPFL) Variable Stretch-AE DIAC 2016 11 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago &amp; m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity separately: Goal Primitive Security notion Data privacy symmetric encryption IND-CPA Data authenticity MAC UF-CMA Mihir Bellare UCSD 1

105 views • 9 slides
Diversity Retention and Recruitment Cindy Munerol Diversity Recruitment and Retention

Diversity Retention and Recruitment Cindy Munerol Diversity Recruitment and Retention

DEANS INDUSTRIAL ADVISORY COUNCIL (DIAC) Diversity Retention and Recruitment Cindy Munerol Diversity Recruitment and Retention Membership Cindy Munerol - Chair - Former AT&amp;T Vince Newsom - Delphi Clayton Nicholas

448 views • 5 slides
Achieving sustainability in Dubai I nternational Academ ic City ( DI AC) through the deploym

Achieving sustainability in Dubai I nternational Academ ic City ( DI AC) through the deploym

Achieving sustainability in Dubai I nternational Academ ic City ( DI AC) through the deploym ent of Energy and W ater conservation Measures. Ayoub Kazim Executive Director Dubai I nternational Academ ic City ( DI AC) Dubai Know ledge

666 views • 29 slides
FINANCIAL RESULTS For the Financial Year Ended 31 March 2018 The Manager Am ARA REIT Managers s

FINANCIAL RESULTS For the Financial Year Ended 31 March 2018 The Manager Am ARA REIT Managers s

FINANCIAL RESULTS For the Financial Year Ended 31 March 2018 The Manager Am ARA REIT Managers s Sdn Bhd (730964-X) FUND FUND OVER VERVIEW VIEW AS S AT 31 T 31 MAR MARCH 2018 2018 Listing Date Borrowings 21 December 2006 RM779.0

529 views • 10 slides
Aligned with short- and long-term commitments 10 November 2015 Contents 1. Period highlights 2.

Aligned with short- and long-term commitments 10 November 2015 Contents 1. Period highlights 2.

January-September 2015 Results Aligned with short- and long-term commitments 10 November 2015 Contents 1. Period highlights 2. January-September 2015 Results and KPIs 3. Outlook 4. Conclusions Period highlights In line with the FY

569 views • 32 slides
for a better health and a better life INL. Your worldwide partner for science and innovation.

for a better health and a better life INL. Your worldwide partner for science and innovation.

NANOTECHNOLOGY for a better health and a better life INL. Your worldwide partner for science and innovation. Lorenzo Pastrana Head of the Department of Life Sciences at INL www.inl.int YOUR WORLDWIDE PARTNER For Science and Innovation 2 YOUR

258 views • 13 slides
Medicare Locals Needs Assessment Report Summary of Findings 1 7/19/2013 MRNWM-ML catchment

Medicare Locals Needs Assessment Report Summary of Findings 1 7/19/2013 MRNWM-ML catchment

7/19/2013 Medicare Locals Needs Assessment Report Summary of Findings 1 7/19/2013 MRNWM-ML catchment area 2 7/19/2013 Data Sources Victorian Refugee Health Network data relating to refugee settlement in the catchment

545 views • 31 slides
Towards Complete Free-Form Reconstruction of Complex 3D Scenes from an Unordered Set of

Towards Complete Free-Form Reconstruction of Complex 3D Scenes from an Unordered Set of

Towards Complete Free-Form Reconstruction of Complex 3D Scenes from an Unordered Set of Uncalibrated Images R. H. Cornelius 2 ara 1 D. Martinec 1 T. Pajdla 1 O. Chum 1 S J. Matas 1 1 Center for Machine Perception, Czech Technical

533 views • 35 slides
Reducing race-based discrimination and supporting diversity at the local level The Localities

Reducing race-based discrimination and supporting diversity at the local level The Localities

Reducing race-based discrimination and supporting diversity at the local level The Localities Embracing and Accepting Diversity program Presentation to the Local Government &amp; Multiculturalism Conference, Wangaratta, 27 August , 2010 Ben

460 views • 24 slides

More recommend