Hash-CFB Authenticated Encryption Without a Block Cipher Christian - - PowerPoint PPT Presentation
Hash-CFB Authenticated Encryption Without a Block Cipher Christian Forler 1 , Stefan Lucks 1 , David McGrew 2 , Jakob Wenzel 1 1 Bauhaus-Universitt Weimar, Germany, 2 Cisco Systems, USA DIAC, Stockholm, July, 2012 1 C. Forler, S. Lucks,
1Bauhaus-Universität Weimar, Germany, 2Cisco Systems, USA
–1–
–2–
◮ easy to describe ◮ easy to implement ◮ easy to analyze
–3–
tag M[n] C[n] M[2] C[2] M[1] C[1] nonce
◮ privacy: CFB encryption ◮ authenticity: trivial attacks! –4–
M[1] C[1] M[2] C[2] M[n] C[n] tag 1 1 1 2 nonce
◮ privacy: the same as CFB encryption ◮ authenticity: secure – see later
–4–
C[1] C[2] C[n] M[1] M[2] M[n] C[1] C[n] C[n−1] 1 1 1 T[1] T[n−1] T[n] T[0] T[2] S
tag nonce key 2
◮ long-term key and nonce define message-secret S –5–
C[1] C[2] C[n] M[1] M[2] M[n] C[1] C[n] C[n−1] 1 1 1 T[1] T[n−1] T[n] T[0] T[2] S
tag nonce key 2
◮ long-term key and nonce define message-secret S ◮ S is xor-ed to the previous hash output
–5–
C[1] C[2] C[n] M[1] M[2] M[n] C[1] C[n] C[n−1] 1 1 1 T[1] T[n−1] T[n] T[0] T[2] S
tag nonce key 2
◮ long-term key and nonce define message-secret S ◮ S is xor-ed to the previous hash output
◮ use a VIL (variable input length) hash of the
–5–
–6–
–6–
–6–
–6–
◮ assume the hash function behaves like a good PRF ◮ restrict the adversary to be nonce-respecting ◮ privacy: chosen plaintext attack (CPA) resistant ◮ authenticity: integrity of ciphertexts (Int-CTXT) ◮ more privacy: CPA and Int-CTXT ⇒ CCA –7–
message (assoc. data) ciphertext
key nonce
◮ nonce misuse: the adversary is not always nonce
◮ privacy: still holds when using a new nonce ◮ authenticity: not affected (!)
◮ weak assumptions:
◮ privacy: requires the FIL HF to be a good PRF ◮ authenticity: only requires “forgery resistance” of the
◮ side-channel resistance: (see below) –8–
◮ privacy: similar to block cipher based CFB ◮ authenticity: for queries, the final hash input to
C[n] M[n] C[n] C[n−1] 1 T[n−1] T[n] tag 2
◮ T[n] is a (keyed) hash
◮ the postfix 2 is only
–9–
◮ many measurements of a primitive operations under
◮ X messages, each of length L blocks:
–10–
C[1] C[2] C[n] M[1] M[2] M[n] C[1] C[n] C[n−1] 1 1 1 T[1] T[n−1] T[n] T[0] T[2] S
tag nonce key 2
◮ X messages, each of length L, nonce-respecting:
◮ even when not nonce-respecting:
–11–
◮ in the paper
◮ SHA-224-based instantiation of HASH-CFB: ◮ one FIL hash ⇔ one compression function call
◮ our goals:
◮ secure, feasable on constrained devices, simple,
◮ using a hash function seems to be a good approach
◮ security requirements (beyond “standard”):
◮ authenticity even under nonce reuse ◮ authenticity needs weaker assumption than privacy ◮ some defense against side-channel attacks
◮ for discussion at DIAC:
◮ Should such security requirements become a
–12–