mcoe a family of almost foolproof on line authenticated
play

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption - PowerPoint PPT Presentation

Oct 16, 2022 •191 likes •473 views

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universit at Weimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . 1

  1. McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universit¨ at Weimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –1–

  2. Overview Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –2–

  3. 1. Motivation ◮ Goldwasser and Micali (1984): requirement: given 2 ciphertexts, adversary cannot even detect when the same plaintext has been encrypted twice consequence: encryption stateful or probabilitistic (or both) ◮ Rogaway (FSE 2004): formalizes state/randomness by nonces Plaintext Header Key Nonce 01 02 03 ... Ciphertext Authentication Tag Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –3–

  4. Authenticated Encryption ◮ first studied by Katz and Young (FSE 2000) and Bellare and Namprempre (Asiacrypt 2000) ◮ since then many proposed schemes, ◮ nonce based, Plaintext Header Key Nonce 01 02 03 ... Ciphertext Authentication Tag ◮ and proven secure assuming a “nonce-respecting adversary” ◮ any implementation allowing a nonce reuse is not our problem . . . but maybe it should Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –4–

  5. Nonce Reuse in Practice ◮ IEEE 802.11 [Borisov, Goldberg, Wagner 2001] ◮ PS3 [Hotz 2010] ◮ WinZip Encryption [Kohno 2004] ◮ RC4 in MS Word and Excel [Wu 2005] ◮ . . . application programmer other issues: mistakes: ◮ restoring a file from a backup ◮ cloning the virtual machine the application runs on ◮ . . . Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –5–

  6. Nonce Reuse – what to Expect? our reasonable (?) expectations ◮ some plaintext information leaks: ◮ identical plaintexts ◮ common prefixes ◮ ect. ◮ but not too much damage: 1. authentication not affected 2. no immediate plaintext recovery Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –6–

  7. Nonce Reuse – what Really Happens! a double-disaster for almost all current AE schemes 1. forgeries 2. plaintext recoveries (often like “one-time-pad used twice”) Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –7–

  8. Systems with Protection from Nonce Reuse SIV (Rogaway, Shrimpton, Eurocrypt 06) and similar schemes Sequentially execute the following two steps: 1. generate authentication tag (from nonce, header, plaintext) 2. encrypt plaintext, using tag as “syntetic” nonce Plaintext Header Nonce Key 01 02 03 ... Ciphertext Tag Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –8–

  9. Properties of SIV and its Fellows? security under nonce reuse meets our “reasonable expectations”: authenticity: not affected! privacy: leaks whether two plaintexts are equal, but not more but inherently off-line (user must read entire plaintext twice): ◮ high latency (first bit of ciphertext can only be sent after last bit of plaintext has been read) ◮ storage issues (enjoy encrypting your harddisk backup . . . ) Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –9–

  10. 2. The McOE Approach 1st plaintext P P P P P P 1 2 3 4 5 6 on-line permutations ciphertexts (Bellare et al., Crypto 01): 2nd plaintext P P P P’ P P 1 2 3 4 5 6 common prefix security under nonce reuse still meets “reasonable expectations”: authenticity: not affected! privacy: leaks whether two plaintexts are equal the length of common plaintext prefixes, but not more Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –10–

  11. Our Main Tool: Chaining Blockciphers for the moment, assume we actually have such primitives plaintext ◮ like a block cipher ◮ two additional parameters: input cv output cv ◮ “input chaining value” ◮ “output chaining value” ciphertext ◮ for fixed input cv good block cipher (PRP) ◮ regarding the output cv good keyed hash function : ◮ weak collision resistance (hard to find two input pairs with colliding output cv s) ◮ weak preimage resistance (hard to find an input pair with output cv = 000 ) Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –11–

  12. McOE nonce P[1] P[2] P[m] Z H[m+1] 000 H[1] H[2] H[3] H[m] Z C[1] C[2] C[m] tag 1. Encrypt nonce , using 000 , to generate H[1] and secret Z . 2. For i in 1, . . . , m : encrypt P[i] , using H[i] , to generate H[i +1 ] and C[i] . 3. Encrypt Z , using H[m+1] , to generate the authentication tag . Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –12–

  13. 3. Why is this secure? (Some Intuition) nonce P[1] P[2] P[m] Z H[m+1] 000 H[1] H[2] H[3] H[m] Z C[1] C[2] C[m] tag 1. nonce -reuse: an Ind-CPA secure OPerm ( → next slide) (common plaintext prefixes ↔ common ciphertext prefixes) Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –13–

  14. 3. Why is this secure? (Some Intuition) nonce P[1] P[2] P[m] Z H[m+1] 000 H[1] H[2] H[3] H[m] Z C[1] C[2] C[m] tag 1. nonce -reuse: an Ind-CPA secure OPerm ( → next slide) (common plaintext prefixes ↔ common ciphertext prefixes) 2. nonce -respecting: Ind-CPA secure (different nonce s make common plaintext prefixes disappear) Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –13–

  15. 3. Why is this secure? (Some Intuition) nonce P[1] P[2] P[m] Z H[m+1] 000 H[1] H[2] H[3] H[m] Z C[1] C[2] C[m] tag 1. nonce -reuse: an Ind-CPA secure OPerm ( → next slide) (common plaintext prefixes ↔ common ciphertext prefixes) 2. nonce -respecting: Ind-CPA secure (different nonce s make common plaintext prefixes disappear) 3. Int-CTXT secure: A forger would need to predict tag , the encryption of Z using H[m+1] . But Z is secret. Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –13–

  16. Nonce-Reuse: Ind-CPA-secure OPerm (1) nonce P[1] P[2] P[m] Z H[m+1] 000 H[1] H[2] H[3] H[m] Z C[1] C[2] C[m] tag ◮ Consider a query ( nonce , P[1] , . . . , P[m] ). ◮ Let i ∈ { 1 , . . . , m } be the smallest index, such that there is no other query ( nonce , P[1] , . . . , P[i] , . . . ) with the same nonce and i blocks of prefix. ◮ H[i] is uniquely determined. Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –14–

  17. Nonce-Reuse: Ind-CPA-secure OPerm (2) nonce P[i] Z 000 H[i] H[i+1] Z C[i] tag H[i] is given, P[i] is new. Exploit the properties of the chaining bc: Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –15–

  18. Nonce-Reuse: Ind-CPA-secure OPerm (2) nonce P[i] Z 000 H[i] H[i+1] Z C[i] tag H[i] is given, P[i] is new. Exploit the properties of the chaining bc: ◮ Good block cipher: C[i] is like a random value. ◮ Good keyed hash function: H[i+1] has never been used before as an input cv . Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –15–

  19. Nonce-Reuse: Ind-CPA-secure OPerm (2) nonce P[i] P[i+1] Z 000 H[i] H[i+1] H[i+1] Z C[i] C[i+1] tag H[i] is given, P[i] is new. Exploit the properties of the chaining bc: ◮ Good block cipher: C[i] is like a random value. ◮ Good keyed hash function: H[i+1] has never been used before as an input cv . Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –15–

  20. Nonce-Reuse: Ind-CPA-secure OPerm (2) nonce P[i] P[i+1] Z 000 H[i] H[i+1] H[i+1] Z C[i] C[i+1] tag H[i] is given, P[i] is new. Exploit the properties of the chaining bc: ◮ Good block cipher: C[i] is like a random value. ◮ Good keyed hash function: H[i+1] has never been used before as an input cv . ◮ Good block cipher: C[i+1] is like a random value. ◮ Good keyed hash function: H[i+2] has never been used before as an input cv . ◮ . . . Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –15–

  21. What if the last plaintext block P[m] is not a full block? ◮ Ciphertext stealing does not work. ◮ New approach: “ tag splitting ”. See the paper. Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –16–

  22. 4. Implementation (Chaining Block Cipher) Use a tweakable block cipher, instead: plaintext tweak = output cv input cv ciphertext 1. Set tweak := input cv 2. Set output cv := plaintext ⊕ ciphertext . Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –17–

  23. McOE-X - we don’t have a Tweakable BC! . . . at least no n -bit bc with n -bit tweaks – so use an ordinary one: plaintext input cv output cv ciphertext 1. Xor the input cv into the key . 2. Set output cv := plaintext ⊕ ciphertext (as before). ◮ Exposes the underlying block cipher to related-key attacks. ◮ Performs poor if the key schedule is slow. Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –18–

  24. Other Constuctions for a Chaining BC McOE-G McOE-D plaintext plaintext input cv input cv output cv output cv univ. hash ciphertext ciphertext McOE-G: uses universal hash function H with Galois-Field arithmetic McOE-D: uses double encryption Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –19–

  25. Throughput Values [cycles/byte] McOE−X AES (software) 21.5 AES−NI 10.3 Threefish (software) 6.7 Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –20–

  26. Throughput Values [cycles/byte] McOE−X AES (software) 21.5 AES−NI 10.3 Threefish (software) 6.7 McOE−G AES (software) 22.8 AES−NI, GF−NI 8.8 Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . –20–

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The FoolProof Initiative FoolProof Financial Education: For no cost to schools: A program that

The FoolProof Initiative FoolProof Financial Education: For no cost to schools: A program that

10/22/14& The FoolProof Initiative FoolProof Financial Education: For no cost to schools: A program that quickly engages students. Unique type of web-driven financial literacy instruction. 1& 10/22/14& What FoolProof Provides:

480 views • 19 slides
Life Skills Curriculum ADD PIX OF HOME PAGE OF CRONKITEPROJECTTHAT REALLY GREAT PIX AND

Life Skills Curriculum ADD PIX OF HOME PAGE OF CRONKITEPROJECTTHAT REALLY GREAT PIX AND

High School Financial Literacy Life Skills Curriculum ADD PIX OF HOME PAGE OF CRONKITEPROJECTTHAT REALLY GREAT PIX AND THE FOOLPROOF EXISTS BECAUSE OF WALTER CRONKITE FoolProof Florida You can use FoolProof right away, for free!

368 views • 26 slides
Fort Benning, Home of the MCoE 1 Maneuver Center of Excellence - Team of Soldiers, Families, and

Fort Benning, Home of the MCoE 1 Maneuver Center of Excellence - Team of Soldiers, Families, and

Fort Benning, Home of the MCoE 1 Maneuver Center of Excellence - Team of Soldiers, Families, and Civilians from the Best Army in the World! Fort Benning, Home of the MCoE Dr. David Johnson Center for Strategic and Budgetary Assessments

393 views • 13 slides
Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Introduction Motivation Specification for Beetle Hardware Implementation Results of Beetle Conclusions Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 , Nilanjan Datta 2 , Mridul Nandi 3 and Kan

614 views • 32 slides
TOWARD AUTHENTICATED CALLER ID TRANSMISSION: THE NEED FOR A STANDARDIZED AUTHENTICATION SCHEME IN

TOWARD AUTHENTICATED CALLER ID TRANSMISSION: THE NEED FOR A STANDARDIZED AUTHENTICATION SCHEME IN

TOWARD AUTHENTICATED CALLER ID TRANSMISSION: THE NEED FOR A STANDARDIZED AUTHENTICATION SCHEME IN Q.731.3 CALLING LINE IDENTIFICATION PRESENTATION Huahong Tu, Adam Doup e, Ziming Zhao, and Gail-Joon Ahn Arizona State University { tu, doupe,

356 views • 8 slides
ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION: THE NEED FOR A STANDARDIZED AUTHENTICATION SCHEME IN Q.731.3 CALLING LINE IDENTIFICATION PRESENTATION Huahong Tu, Adam Doup, Ziming Zhao, and

388 views • 36 slides
ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION:

ITU Kaleidoscope 2016 ICTs for a Sustainable World TOWARD AUTHENTICATED CALLER ID TRANSMISSION: THE NEED FOR A STANDARDIZED AUTHENTICATION SCHEME IN Q.731.3 CALLING LINE IDENTIFICATION PRESENTATION Huahong Tu, Adam Doup, Ziming Zhao, and

721 views • 35 slides
Making Default Address Selection More Robust FoolProof

Making Default Address Selection More Robust FoolProof

Making Default Address Selection More Robust FoolProof draft-linkova-6man-default-addr-selection-update-00 Jen Linkova IETF99, Prague, July 2017 When Does a Host Stop Using an Address? Preferred lifetime expired An RA received

540 views • 14 slides
The O-Ring Sector and the Foolproof Sector: An explanation for cross-country income differences

The O-Ring Sector and the Foolproof Sector: An explanation for cross-country income differences

The O-Ring Sector and the Foolproof Sector: An explanation for cross-country income differences Garett Jones Department of Economics and Center for Study of Public Choice George Mason University This version: July 2008 Why do some

362 views • 22 slides
Family of intersection problems Family of intersection problems CG Lecture 2 CG Lecture 2 1.

Family of intersection problems Family of intersection problems CG Lecture 2 CG Lecture 2 1.

Family of intersection problems Family of intersection problems CG Lecture 2 CG Lecture 2 1. Line segment intersection : given n line segments, Line segment intersection report their intersections efficiently. Worst case: k = n ( n 1)/2

505 views • 7 slides
Industry Days DOTD,30 APR 20 1400-1530 hrs. 1-480-297-0773 , passcode 229 0110# 1 Maneuver

Industry Days DOTD,30 APR 20 1400-1530 hrs. 1-480-297-0773 , passcode 229 0110# 1 Maneuver

Fort Benning, Home of the MCoE 2020 AUSA Chattahoochee Valley/Fort Benning, MCoE, and MCDID Virtual Industry Days DOTD,30 APR 20 1400-1530 hrs. 1-480-297-0773 , passcode 229 0110# 1 Maneuver Center of Excellence - Team of Soldiers, Families,

387 views • 14 slides
Foolproof Ansible Playbooks with Molecule Nathaniel Beckstead 1 Nathaniel Beckstead

Foolproof Ansible Playbooks with Molecule Nathaniel Beckstead 1 Nathaniel Beckstead

Foolproof Ansible Playbooks with Molecule Nathaniel Beckstead 1 Nathaniel Beckstead Automation extraordinaire Never enough infrastructure Favorite ice cream flavor is mint chocolate chip 2 Ansible 3 Ansible

831 views • 27 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All

Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All

Bitcoin What We Know So Far Consensus Cryptographic Primitives Today Putting It All Together The Bitcoin System The First Primitive Data Structure Reference Reference Header Header Header Transactions Transactions

1k views • 57 slides
Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with

Stronger Security Variants of GCMSIV Kazuhiko Minematsu (NEC Corporation) Joint work with Tetsu Iwata (Nagoya University) To appear at FSE 2017 Recent Advances in Authenticated Encryption 2016 Kolkata, India 1 NonceBased AE

617 views • 44 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides
the Blockchain Krishnendu Chatterjee*, Amir Goharshady *, Arash Pourdamghani** *IST Austria,

the Blockchain Krishnendu Chatterjee*, Amir Goharshady *, Arash Pourdamghani** *IST Austria,

Probabilistic Smart Contracts: Secure Randomness on the Blockchain Krishnendu Chatterjee*, Amir Goharshady *, Arash Pourdamghani** *IST Austria, **Sharif University of Technology Random Numbers on the Blockchain Current programmable

502 views • 18 slides
Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in

Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in

Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in Cryptographic Protocols Peeter Laud Tartu University and Cybernetica AS (joint work with Michael Backes) Teooriapevad Voorel, 29.0901.10.2006 p. 1/33

760 views • 47 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020 Introduction

1.74k views • 57 slides
Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now Extending the Salsa20 nonce 2006

762 views • 59 slides

More recommend