blockcipher based authentcated encryption how small can
play

Blockcipher-based Authentcated Encryption: How Small Can We Go? - PowerPoint PPT Presentation

Mar 28, 2023 •105 likes •470 views

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata

  1. Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata (Nagoya University, Japan) Kazuhiko Minematsu (NEC Corporation, Japan) Mridul Nandi (Indian Statistical Institute, India) CHES 2017, Taipei, Taiwan September, 2017 1 COFB

  2. Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Introduction 1 Specification for COFB 2 Hardware Implementation Results of COFB-AES 3 Conclusions 4 References 5 2 COFB

  3. Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Authenticated Encryption (AE) A symmetric encryption scheme AE = ( K , E , D ) E : K ⇥ M ⇥ N ⇥ A ! C D : K ⇥ C ⇥ N ⇥ A ! M [ { ? } Figure: Data Transmission C set of tagged ciphertexts (Taken from [3]) ? : special symbol to denote reject Goal Primitive Security Privacy Symmetric Encryption IND-CCA/CPA Integrity MAC UF-CMA 3 COFB

  4. Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Authenticated Encryption (AE) Input � M , A , N , K Output � C K - Key space, M - Message space, N - Nonce space, A - Associated Data space, C - Ciphertext space Nonce Arbitrary number used only once for each encryption Useful as initialization vectors. Example: Counter Associated Data Header of the Message (not encrypted but authenticated) Example: IP Address 4 COFB

  5. Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Authenticated Encryption (AE) Why AE? In practice both privacy and authenticity are desirable Example taken from [3]: A doctor wishes to send medical information about Alice to the medical database. Then We want data privacy to ensure Alice’s medical records remain confidential We wantintegrity to ensure the person sending the information is really the doctor and the information was not modified in transit We refer to this as authenticated encryption 5 COFB

  6. Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Security of Authenticated Encryption [4] Privacy We want IND-CPA Integrity Adversary’s goal: Receiver accepts a forged tuple (( C ∗ , T ) , N , A ) INT-CTXT: Any forged tuple is rejected with high probability Goal - IND-CPA + INT-CTXT 6 COFB

  7. Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Unified AE Security Adversary A runs in time t A makes q enc queries ( σ enc blocks) q f forge queries ( σ f forge blocks) Adv AE E ( A ) = ∆ A (( E K , D K ); ($ , ? )) $ returns a random string from the range set of E K ? oracle always returns ? Adv AE E (( q , q f ) , ( σ , σ f ) , t ) = max A Adv AE E ( A ) 7 COFB

  8. Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Construction of AE Scheme Several Ways of Designing AE Blockcipher(BC) based, Streamcipher(SC) based, Permutation based etc. We consider BC based AE BC Based AE Sequential nonce-based AE: CLOC, SILC Parallel on-line AE: ELmD, COPA, COLM Parallel nonce-based AE: OCB, OTR Our target: Sequential nonce-based AE Need to design Feedback function 8 COFB

  9. Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Possible Options for Feedback Message Feedback Current M [ i ] is the feedback X [ i ] for the next BC call Ciphertext Feedback Current C [ i ] is the feedback X [ i ] Output Feedback Previous BC output Y [ i � 1] is the feedback X [ i ] We Use Combined Feedback First 3 can not fullfill our needs (small state rate-1 AE) X [ i ] can not be computed by exactly one of M [ i ], C [ i ], Y [ i � 1] 9 COFB

  10. Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Di ff erent Feedback Modes and COFB (Combined Feedback) Mode X [ i − 1] X [ i − 1] X [ i − 1] X [ i − 1] R ρ R R R X [ i ] X [ i ] M [ i ] G M [ i ] X [ i ] M [ i ] X [ i ] M [ i ] C [ i ] C [ i ] C [ i ] Output Message C [ i ] Ciphertext feedback feedback feedback Combined feedback 10 COFB

  11. Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Introduction 1 Specification for COFB 2 Design of COFB AE Security Bounds Properties Hardware Implementation Results of COFB-AES 3 Conclusions 4 References 5 11 COFB

  12. Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Goal of This Design Lightweight AE mode Use low storage Standard security bound (close to the birthday bound on block size) Security proof in the standard model Smaller hardware area than the existing ones Very low number of gates other than the BC 12 COFB

  13. Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Design Rationale and Challenges COFB: Uses Combined Feedback It needs n bits for storing the BC state It needs k bits for storing the BC key It needs n / 2 bits more for masking Each BC input is masked in a similar manner to XEX [7] TBC But here mask is only n / 2 bits instead of n Su ffi cient for standard security bound: thanks to our feedback function 13 COFB

  14. Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Benchmarking in Terms of State Size Rate: Data block/BC calls Scheme State Size Rate Security Proof COFB 1 . 5 n + k 1 Yes 1 JAMBU [9] 1 . 5 n + k Yes (Integrity only) 2 1 CLOC/ SILC [5, 6] 2 n + k Yes 2 iFEED [10] 3 n + k 1 Yes (Was Wrong)(attack in [8]) OCB [7] � 3 n + k 1 Yes 1 COLM [2] 3 n + k Yes 2 14 COFB

  15. Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References COFB AE Mode ∆ = E K ( N ) [ n / 4+1 .. 3 n / 4] mask ∆ (1 , 0) mask ∆ (2 , 0) mask ∆ (2 , δ A ) 0 n/ 2 N Z [1] Z [2] Z [3] mask ∆ ( a , b ) = α a (1 + α ) b ∆ X [1] X [2] X [3] (Tweak fn described later) E K E K E K E K Y [0] Y [1] Y [2] ρ 1 ( y , A ) := G · y � A A [1] ρ 1 A [2] ρ 1 A [3] ρ 1 Y [3] ρ ( y , M ) = ( ρ 1 ( y , M ) , y � M ) mask ∆ (3 , δ A ) mask ∆ (4 , δ A ) mask ∆ (4 , δ A + δ M ) G : Full rank matrix 6 = I X [1] X [2] X [3] ( ρ , ρ 1 described later) X [4] X [5] X [6] Y [3] E K E K E K For B = A / M ρ Y [4] Y [5] Y [6] If B 6 = λ ^ n divides | B | M [1] ρ 1 M [2] ρ M [3] ρ T Then δ B = 1 C [2] C [3] Else δ B = 2 C [1] 15 COFB

  16. Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Instantiation of COFB AE Mode : COFB-AES Underlying BC We use AES - 128 as the underlying BC n = 128 Mask Function mask - mask is a simple tweak update function ρ 1 and ρ Functions ρ 1 and ρ Functions - Simple linear feedback functions Last block has a di ff erent tweak 16 COFB

  17. Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Tweak Function ∆ - 64-bit value derived from encryption of nonce Standard size is 128 bits but 64 bits are su ffi cient Computed/updated by mask ∆ ( a , b ) = α a (1 + α ) b . ∆ α - primitive element of F 2 64 This idea has been taken from XEX [7] (but masked length is halved) ( a , b ) 2 [0 .. L ] ⇥ [0 .. 4], L be the message length in blocks 17 COFB

  18. Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Linear Feedback Functions ρ 1 and ρ ρ 1 ( y , M ) := G · y � M and ρ ( y , M ) = ( ρ 1 ( y , M ) , y � M ) G : ( y 1 , y 2 , y 3 , y 4 ) ! ( y 2 , y 3 , y 4 , y 4 � y 1 )  0 I 0 0  0 0 I 0   G n × n =   0 0 0 I   I 0 0 I 18 COFB

  19. Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Security Level for COFB-AES Security Bound for Privacy Nonce- respecting adversary Almost Birthday Bound of 64 bits for Privacy Security Bound for Authenticity Nonce- respecting adversary Almost Birthday Bound of 64 bits for Authenticity COFB mode is secure upto O ( 2 n / 2 n ) queries (almost birthday bound with block size n) 19 COFB

  20. Introduction Specification for COFB Design of COFB AE Hardware Implementation Results of COFB-AES Security Bounds Conclusions Properties References Important Features of COFB AE Advantages Rate = 1 Very low state size of 1 . 5 n + k (n: state size, k : key size) Very flexible mode ( any BC can be used) inverse - free Simple linear feedback Very lightweight and consumes low hardware area Limitations Both the encryption and decryption are completely serial 20 COFB

  21. Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Introduction 1 Specification for COFB 2 Hardware Implementation Results of COFB-AES 3 Conclusions 4 References 5 21 COFB

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (Indian

Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (Indian

Introduction Idealized Combined Feedback Construction : iCOFB Specification for COFB Hardware Implimentation Results of COFB Conclusion Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (Indian Statistical

457 views • 35 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth

Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth

Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth Asian Workshop on Symmetric Key Cryptography, 19%22, December 2014, SETS Chennai, India 1 Introduction Blockcipher mode : turning a blockcipher

702 views • 59 slides
Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University of Florida) Seth Terashima (Qualcomm Technologies, inc.) What weak bounds? ...from encrypting lots of data Intel Hardware RNG: Single-machine

246 views • 23 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho Moriai 1 , Tetsu Iwata 2 1 Sony Corporation 2 Nagoya University Direction for designing a new blockcipher Priority for Choosing an algorithm 1.

464 views • 19 slides
Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in 30th Sept, ASK-2015, NTU, Singapore Symmetric Key Primitives Distinguishing Game Distinguishing a real keyed

588 views • 33 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides
Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment Functional encryption Shared coin flips Fully-homomorphic encryption APPLICATIONS AND PROTOCOLS Threshold cryptography Searchable

399 views • 11 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Semi-Lagrangian Simulations for Solving 2d2v Vlasov-Poisson Systems (one and two species) Yann

Semi-Lagrangian Simulations for Solving 2d2v Vlasov-Poisson Systems (one and two species) Yann

Semi-Lagrangian Simulations for Solving 2d2v Vlasov-Poisson Systems (one and two species) Yann Barsamian 1,3 , Joackim Bernier 4 , Sever Hirstoaga 1,2 , Michel Mehrenberger 1,2 , Eric Violard 1,3 1. 2. CNRS IRMA (MoCo), INRIA (TONUS) 3. CNRS

659 views • 42 slides
Fluid Dynamics CSE169: Computer Animation Steve Rotenberg UCSD, Winter 2017 Fluid Dynamics

Fluid Dynamics CSE169: Computer Animation Steve Rotenberg UCSD, Winter 2017 Fluid Dynamics

Fluid Dynamics CSE169: Computer Animation Steve Rotenberg UCSD, Winter 2017 Fluid Dynamics Fluid dynamics refers to the physics of fluid motion The Navier-Stokes equation describes the motion of fluids and can appear in many forms

634 views • 47 slides
Schwarz waveform relaxation algorithms : theory and applications Laurence HALPERN LAGA -

Schwarz waveform relaxation algorithms : theory and applications Laurence HALPERN LAGA -

Introduction The SWR algorithm for advection diffusion equation The two-dimensional wave equation Conclusion und perspectives Schwarz waveform relaxation algorithms : theory and applications Laurence HALPERN LAGA - Universit e Paris 13

710 views • 53 slides
The EUROCS stratocumulus case: Observations and numerical simulations of the diurnal cycle of

The EUROCS stratocumulus case: Observations and numerical simulations of the diurnal cycle of

The EUROCS stratocumulus case: Observations and numerical simulations of the diurnal cycle of stratocumulus Status on the intercomparison; data availability, deliverables, papers Peter Duynkerke Stephan de Roode Herve Grenier (1) Institute for

698 views • 22 slides
Tweaks and Keys for Block Ciphers: the TWEAKEY Framework Jrmy Jean - Ivica Nikoli - Thomas

Tweaks and Keys for Block Ciphers: the TWEAKEY Framework Jrmy Jean - Ivica Nikoli - Thomas

Tweaks and Keys for Block Ciphers: the TWEAKEY Framework Jrmy Jean - Ivica Nikoli - Thomas Peyrin NTU - Singapore ASIACRYPT 2014 Kaohsiung, Taiwan - December 11, 2014 Introduction The TWEAKEY Framework The STK Construction AE with TBC

586 views • 32 slides
8.286 Leture 9 Otober 10, 2018 DYNAMICS OF HOMOGENEOUS EXPANSION, PART IV Summary of

8.286 Leture 9 Otober 10, 2018 DYNAMICS OF HOMOGENEOUS EXPANSION, PART IV Summary of

8.286 Leture 9 Otober 10, 2018 DYNAMICS OF HOMOGENEOUS EXPANSION, PART IV Summary of Leture 8 Age of a Flat Matter-Dominated Universe: 2 2 = 3 1 a ( t ) / = ) = t t H 3 1 1 F or = 67 : 7 0 : 5

663 views • 15 slides
Shape optimization of a coupled thermal fluid-structure problem in a level set mesh evolution

Shape optimization of a coupled thermal fluid-structure problem in a level set mesh evolution

Shape optimization of a coupled thermal fluid-structure problem in a level set mesh evolution framework Florian Feppon Gr egoire Allaire, Charles Dapogny Julien Cortial, Felipe Bordeu ECCM June 12, 2018 Outline 1. Hadamards

783 views • 33 slides
!"#$%"&'()*+,-./0+ 123441+5+16+7"8)9()*+2411+

!"#$%"&'()*+,-./0+ 123441+5+16+7"8)9()*+2411+

!"#$%"&'()*+,-./0+ 123441+5+16+7"8)9()*+2411+ :(;(#-)&+"'+(<3+=2442>+ 9&#")?('")3.-%3(9+ B(%8)$(&C+ @3+A*)-?+ D"?E-9&#<(&#+ F4+.%+

714 views • 23 slides

More recommend