new modes of encryption a perspective and a proposal
play

New Modes of Encryption - A Perspective and a Proposal Virgil D. - PowerPoint PPT Presentation

Nov 25, 2022 •148 likes •375 views

New Modes of Encryption - A Perspective and a Proposal Virgil D. Gligor* Pompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland 20815 {gligor, pompiliu}@eng.umd.edu NIST Modes of Operation Workshop Baltimore, Maryland October

  1. New Modes of Encryption - A Perspective and a Proposal Virgil D. Gligor* Pompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland 20815 {gligor, pompiliu}@eng.umd.edu NIST Modes of Operation Workshop Baltimore, Maryland October 20, 2000 (*) Part of this work was performed while on sabbatical leave from the University of Maryland, Department of Electrical and Computer Engineering, College Park, Maryland 20742 GD - 10/20/00 1

  2. Outline 1. Security Claims 2. Operational Claims 3. Evidence 4. Examples: XCBC, XECB-MAC and PM-XOR 5. Proposal: Three* Distinct Mode Candidates 6. Intellectual Property Status GD - 10/20/00 2

  3. 1. Security Claims for Modes of Encryption 1. Claim = a security notion supported by a mode or scheme of encryption 2. Security Notion = < security goal, attack characteristics> 3. Security Goal : confidentiality, integrity (authenticity), common - Examples: • confidentiality: indistinguishability (IND) • integrity: resistance to existential forgery (EF) • common: resistance to key searches (KS) • combinations 4. Attack Characteristics (models) - Examples: • Chosen (Known) Plaintext • Ciphertext-only • Chosen ciphertext • combinations GD - 10/20/00 3

  4. Example of a Chosen-Plaintext Attack Distributed Service: S (S1, S2), shared key K; Clients: Client 1. … Adv, …, Client n Adversary: Adv Client 1 . . . . OK / Null S2 S1 Client n K K forgery j ciphertext i 1i 2i 4j plaintext i Adv constructs ciphertext i forgery j 3j In attack scenario: S1 becomes an Encryption Oracle S2 becomes a Decryption Oracle GD - 10/20/00 4

  5. Example of Ciphertext-only Attack Distributed Service: S (S1, S2), shared key K; Clients: Client 1,…, Client n Adversary: Adv is not a client 1i plaintext i Client 1 . . . . OK / Null S2 S1 Client n K K forgery j ciphertext i 2i 4j Adv constructs ciphertext i forgery j 3j In attack scenario: No Encryption Oracle: plaintext i is r.u.d (Adv known absolutely nothing about plaintext i) GD - 10/20/00 5 S2 becomes a Decryption Oracle

  6. Example of Integrity Goals Existential Forgery protection (EF) : Pr[ D K (forgery) =/= Null ] is negligible Other Integrity Notions: constraints on D K (forgery) =/= Null Examples: Non-malleability (NM) : given ciphertext challenge y whose plaintext x may be unknown, find forgery of the same length as y : Pr [ D K (forgery) =/= Null and Relationship( D K (forgery), x) ] is negligible Integrity of Plaintexts (PI) : Pr [ D K (forgery) =/= Null and D K (forgery) =/= plaintexts encrypted before ] is negligible Assurance of Plaintext Uncertainty (PU) : Pr [ D K (forgery) =/= Null => D K (forgery) =/= plaintexts encrypted before and is unknown ] is close to 1 Protection against Chosen-Plaintext Forgery (CPF) : given a chosen plaintext challenge x , Pr [ D K (forgery) =/= Null and D K (forgery) = x =/= plaintexts encrypted before ] is negligible Note: some constraints may be integrity counter-intuitive; e.g., assurance of Known-Plaintext Forgery (KPF) Pr [ D K (forgery) =/= Null => D K (forgery) is known ] is close to 1. GD - 10/20/00 6

  7. Relationships among Integrity Notions KPF - CPA PI - CPA EF - CPA PU - CPA CPF - CPA CPF - CoA NM - CPA EF - CoA Legend: A B iff A ==> B and B =/=> A (``dominance’’) A ==> B iff mode is secure in A is also secure in B B =/=> A iff mode is secure in B is not secure in A GD - 10/20/00 7

  8. Examples of Modes Satisfying Different Integrity Notions Encryption Mode - “redundancy” function or Encryption Mode + MAC Mode PI - CPA Conf. DES-CBC-CRC32 (K v5, DCE) ``easy’’ IGE-z 0 EF - CPA PU - CPA CPF - CPA CPF - CoA VIL-CBC-nzg XOC-XOR XCBC-XOR IACBC NM - CPA IAPM BIGE-nzg PM-XOR OCB ctr-mode + XECB MAC EF - CoA Infinite Garble Extension ( IGE ) ctr-mode + PMAC Encryption: y i = Enc K (x i / y i-1 ) / x i -1 IGE-z 0 Note: italics designate modes presented in NIST Workshop on AES Modes of Encryption GD - 10/20/00 8

  9. 2. Operational Claims for Modes of Encryption 1. Claim = a operational notion supported by a mode or scheme of encryption 2. Operational Notion = < operational goals, mode characteristics > 3. Operational Goal : cost-performance, simplicity, others - Examples of (related) goals: • cost-performance: • low power consumption • high speed (e.g., throughput) • low implementation cost (e.g., hardware ``real-estate’’) • simplicity • single cryptographic primitive, key 4. Mode Characteristics - Examples: • State: stateless, stateful • Degree of parallelism • sequential • interleaved (apriori known or negotiated no. of proc. units) • fully parallel (independent of no. of processing units) • Separated Confidentiality and Integrity keys • Other: incremental, out-of-order processing GD - 10/20/00 9

  10. Examples of Operational Claims Low- and High-End Goals • cost-performance: • low power consumption • speed: moderate (e.g., < 100 MBS) > 100 GBS • low implementation cost hardware • simplicity • single cryptographic primitive (AES), key single crypto prim. Low- and High-End Mode Characteristics • State: stateful stateful, stateless • Degree of parallelism • sequential (single processor) fully parallel for Conf. & Integrity • Separated Confidentiality and Integrity keys: No Yes • Others: incremental, out-of-order processing: No Yes for both Conf. & Integrity GD - 10/20/00 10

  11. 3. Evidence for Claims 1. Mode specification 2. Security Claim - goal - attack pair(s) 3. “Proof “ - formal: Mode spec. satisfies Security Claim • standing assumption: AES is secure w.r.t. all known attacks - peer review - other empirical evidence: known attacks 4. Operational Claim - goal - mode characteristics pair(s) 5. Operational evidence - implementation + performance tests - other empirical evidence GD - 10/20/00 11

  12. XCBC Encryption Fact: Encryption is not intended to provide integrity Motivation - Encryption w/o integrity checking is all but useless [Bellovin 98] - Define family of encryption modes to help provide integrity with non-cryptographic “redundancy” functions - Security claims: IND-CPA confidentiality and EF-CPA integrity, reasonable bounds - Operational claims: preferred for Low- to Mid-End op. environment - Knowledge of operational environments: • apriori obtained • discovered via negotiation GD - 10/20/00 12

  13. Operational Claims Preferred environments : low- to mid-end Goals - cost performance •low power consumption • speed: moderate to high (e.g., close to CBC-UMAC-MMX30) • low implementation cost - simplicity • single cryptographic primitive (AES), key Mode Characteristics • State: stateful, stateless • Degree of parallelism: sequential (single processor), interleaved (known no. procs.) • Separated Confidentiality and Integrity keys: No • Others: incremental, out-of-order processing: Yes (if interleaved) GD - 10/20/00 13

  14. Stateless XCBC Scheme - Encryption of x = x 1 x 2 x 3 (single key is also possible) random x 1 r 0 x 2 x 3 z 0 key’ AES-e key AES-e key AES-e AES-e AES-e z 1 z 2 z 3 Extend op S 1 S 2 op op CBC S 3 S i = sequence y 0 op = operation y 1 y 2 y 3 Examples of S i and op combinations ( + is mod 2 l ; is bitwise exclusive-or) S i = S i-1 + r 0 , S 0 = 0 (written as S i = i x r 0 ) op = + Other S i and op definitions exist (e.g., C.S. Jutla’s and P. Rogaway’s proposals) GD - 10/20/00 14

  15. Stateless XCBC -XOR Scheme - Encryption of x = x 1 x 2 x 3 unpredictable function of message x g(x) random x 1 x 2 r 0 x x 4 3 z 0 key’ AES-e key key AES-e AES-e AES-e AES-e AES-e z 1 z 2 z 3 z 4 S 1 op S 2 op S 3 op op S 4 y y y y y 0 1 2 3 4 Example: g(x) = x 1 x2 x3 z’ 0 ; z’ 0 = z 0 GD - 10/20/00 15 Other examples of g(x) exist

  16. Selection Criteria for S i , op, g(x) ? Satisfy Security Claims: - Proof for integrity goal: EF-CPA ( must be able to do the proofs for selected S i , op, g(x) ): • integrity: [GD 00] Satisfy Operational Claims: - Goals: low- to mid-end environments Performance Example (by Jason S. Papadopoulos) PC: 366 MHz Intel Celeron; OS: Red Hat Linux 5.2; Compiler: egcs; optimization: -o3-mcpu = I686 - fomit - frame - pointer Block Enc/Dec : openSSL DES in-cache timing : 64B, 256B, 512B, 1KB, 2KB, 4KB, 8KB, 16KB, 64KB, 256 KB - aligned data on 8 byte boundary CBC-UMAC-MMX30 42.86 - 46.48 clocks / byte; and for 8B - 77.23 clocks/byte XCBC-XOR 43.38 - 44.62 clocks / byte; and for 8B - 49.57 clocks/byte - unaligned data (8 byte boundary +1) CBC-UMAC-MMX30 44.13 - 47.35 clocks / byte; and for 8B - 80.85 clocks/byte XCBC-XOR 44.38 - 45.00 clocks / byte; and for 8B - 49.58 clocks/byte GD - 10/20/00 16

  17. XECB - MAC Motivation - Stand-alone, fully parallel family of MACs, like the XOR-MAC • with better throughput • reasonable security bounds for EF- CPA - XORC (and ctr-mode) needs a MAC with similar mode characteristics using the same cryptographic primitive [ XORC, and ctr-mode, does not allow non-cryptographic “redundancy” function g(x) ] Preferred Operational Environment: High-End - XORC (ctr-mode) + XECB (or any other similar MAC) requires two keys => two separate passes in single processor , sequential implementations => approx. twice the power consumption and half speed of XCBC-XOR GD - 10/20/00 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1

Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit

663 views • 35 slides
Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit e Grenoble 1, CNRS, Verimag , FRANCE 2 Department of

538 views • 29 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Depletion and mineral modes Mineral modes of peridotite are 48% Oli related to extent of melt

Depletion and mineral modes Mineral modes of peridotite are 48% Oli related to extent of melt

Lecture III: Mantle garnets as lithosphere proxies a major-element and temporal perspective Herman Grtter UBC Lectures - Mantle Indicators in modern use 30 October 2013 Depletion and mineral modes Mineral modes of peridotite are 48%

343 views • 8 slides
Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit e Grenoble 1, CNRS, Verimag , FRANCE 2 Department of Computer Science, University of Calgary, Canada

400 views • 23 slides
Systems and Network Security (NETW-1002) Dr. Mohamed Abdelwahab Saleh IET-Networks, GUC Spring

Systems and Network Security (NETW-1002) Dr. Mohamed Abdelwahab Saleh IET-Networks, GUC Spring

Data Encryption Standard DES Modes of Operation Systems and Network Security (NETW-1002) Dr. Mohamed Abdelwahab Saleh IET-Networks, GUC Spring 2020 Data Encryption Standard DES Modes of Operation TOC Data Encryption Standard 1 DES Modes

424 views • 18 slides
AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov Martin M. Lauridsen Elmar Tischhauser mmeh @ dtu.dk DTU Compute, Technical University of Denmark DIAC 2014 Santa Barbara, August 24, 2014 Context

540 views • 19 slides
The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15 Modes of Operation p E K F K E K 2 / 15 Modes of Operation p E K F K

428 views • 42 slides
One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Information Security 1 Basic Ciphers Shift Cipher Brute&amp;force attack can easily break Substitution Cipher Frequency

571 views • 35 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and

DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and

DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes Presented by N7MOT Lenny Gemar Amateur radio began with spark gap transmitters, evolving to Morse code and analog voice

442 views • 20 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
STUDENTS UNION PERSPECTIVE Overview Frank Robinson proposal Donor interest Peter

STUDENTS UNION PERSPECTIVE Overview Frank Robinson proposal Donor interest Peter

STUDENTS UNION PERSPECTIVE Overview Frank Robinson proposal Donor interest Peter Meekison brought on board Initiative launched Building plans for approval SU perspective Early Days Presentation to Deans Council

277 views • 10 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
Untagging Tor: A Formal Treatment of Onion Encryption Jean Paul Degabriele Martijn Stam 1

Untagging Tor: A Formal Treatment of Onion Encryption Jean Paul Degabriele Martijn Stam 1

Untagging Tor: A Formal Treatment of Onion Encryption Jean Paul Degabriele Martijn Stam 1 Outline of this talk Overview of Tor Tagging Attacks and Their Severity Modelling Onion Encryption Tor Proposal 261 and Security Analysis

731 views • 21 slides
Emerging Markets beats EFA 2003 through September 2007 EEM 22 countries (+298%) beats EFA

Emerging Markets beats EFA 2003 through September 2007 EEM 22 countries (+298%) beats EFA

FOREIGN (EFA) BEATS US (S&amp;P500) 2002 through September 2007 EFA 21 countries (+100%) beats S&amp;P500 (+25%) Emerging Markets beats EFA 2003 through September 2007 EEM 22 countries (+298%) beats EFA (+147%). 1 Marotta Asset Management,

312 views • 12 slides
Patrick Fuhrmann (DESY) EMI Data Area lead EMI

Patrick Fuhrmann (DESY) EMI Data Area lead EMI

EMI INFSO-RI-261611 Patrick Fuhrmann (DESY) EMI Data Area lead EMI INFSO-RI-261611 People Alejandro Alvarez Michele Dibenedetto Alex Sim Michail Salichos

270 views • 26 slides
Titlegraphicshamelesslystolenfromwww.pennyarcade.com Whodoesit?

Titlegraphicshamelesslystolenfromwww.pennyarcade.com Whodoesit?

Titlegraphicshamelesslystolenfromwww.pennyarcade.com Whodoesit? Isitlegal? Isitethical? Solutions IMHO MostlyChina,butalso KoreaandMexico

131 views • 9 slides
Measuring Cross-Border E-Commerce Scarlett Fondeur Gil, Economic Affairs Officer ICT Policy

Measuring Cross-Border E-Commerce Scarlett Fondeur Gil, Economic Affairs Officer ICT Policy

Measuring Cross-Border E-Commerce Scarlett Fondeur Gil, Economic Affairs Officer ICT Policy Section Eurasian Regional Workshop International Trade Statistics: Edge of Tomorrow 15 November 2019 Nur Sultan, Republic of Kazakhstan

217 views • 11 slides
NET 2-20 per 10 Intermed. 3-20 Carcinoid, Neuroendocrine tumor, HPF (G2) atypical grade 2

NET 2-20 per 10 Intermed. 3-20 Carcinoid, Neuroendocrine tumor, HPF (G2) atypical grade 2

3/7/2015 GI and Pancreatic NETs Disclosures Ipsen NET Advisory Board The Postgraduate Course in Breast and Endocrine Surgery Marines Memorial Club and Hotel San Francisco, CA Treatment of GI and Pancreatic Neuroendocrine Tumors Eric

538 views • 15 slides
R a P n d a o g Necrotic Enteritis m e s S Tahseen Abdul-Aziz f o a Rollins Animal

R a P n d a o g Necrotic Enteritis m e s S Tahseen Abdul-Aziz f o a Rollins Animal

R a P n d a o g Necrotic Enteritis m e s S Tahseen Abdul-Aziz f o a Rollins Animal Disease Diagnostic Laboratory, North Carolina Department of r m Agriculture and Consumer Services, Raleigh, NC, USA P p r H. John Barnes l e

248 views • 8 slides
March 5, 2013 Jonathan Monk Outline E. coli : from strain to species Core and Pan

March 5, 2013 Jonathan Monk Outline E. coli : from strain to species Core and Pan

Comparison of multiple E. coli models reveals unique metabolic phenotypes March 5, 2013 Jonathan Monk Outline E. coli : from strain to species Core and Pan genomes/reactomes Metabolic Network Reconstruction Procedure Phenotypic

529 views • 25 slides
The gut microbiota and SES in preterm infants in the Chicago area Erika C. Claud, MD Professor

The gut microbiota and SES in preterm infants in the Chicago area Erika C. Claud, MD Professor

The gut microbiota and SES in preterm infants in the Chicago area Erika C. Claud, MD Professor Departments of Pediatrics Section of Neonatology Director of Neonatology Research The University of Chicago Prematurity What is full term?

836 views • 45 slides

More recommend