on some constructions for authenticated encryption with
play

On Some Constructions for Authenticated Encryption with Associated - PowerPoint PPT Presentation

Apr 03, 2024 •399 likes •1.01k views

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in (Partially based on joint work with Debrup Chakraborty) Directions

  1. On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in (Partially based on joint work with Debrup Chakraborty) Directions in Authenticated Ciphers – DIAC 2012, 6th July 2012 isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 1 / 32

  2. Encryption Sender public channel Receiver msg cpr Encrypt Decrypt K adversary K isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 2 / 32

  3. Authentication Sender public channel Receiver msg Generate Verify (msg, tag) Tag Tag K adversary K isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 3 / 32

  4. Authenticated Encryption (AE) Sender public channel Receiver msg nonce nonce cpr = (C, tag) Encrypt Decrypt K adversary K isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 4 / 32

  5. AE with Associated Data (AEAD) Sender public channel Receiver hdr, msg nonce nonce (hdr, cpr = (C, tag)) Encrypt Decrypt K adversary K isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 5 / 32

  6. Deterministic AEAD (DAEAD) Sender public channel Receiver hdr, msg (hdr, cpr = (C, tag)) Encrypt Decrypt K adversary K isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 6 / 32

  7. Construction Approaches We will consider: Single-pass block cipher modes of operations. From tweakable block ciphers. From (plain) block ciphers. isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 7 / 32

  8. Construction Approaches We will consider: Single-pass block cipher modes of operations. From tweakable block ciphers. From (plain) block ciphers. Stream cipher with IV and a hash function (with provably low collision and differential probabilities). isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 7 / 32

  9. Construction Approaches We will consider: Single-pass block cipher modes of operations. From tweakable block ciphers. From (plain) block ciphers. Stream cipher with IV and a hash function (with provably low collision and differential probabilities). Other approaches: Direct construction of an integrated primitive: PHELIX, SOBER, AEGIS, ... From permutations (Bertoni at al 2011). Generic conversion from AE to AEAD: AE+MAC (Rogaway 2002); AE+CRHF (Sarkar 2010). isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 7 / 32

  10. Some AE(AD) Schemes from Block Ciphers Two-pass: Cost per block (approx): 2[BC] or 1[BC]+1[M] . CCM: Counter + CBC-MAC; standardised by NIST (USA). GCM: Counter + (universal) hash; standardised by NIST (USA). CWC: Carter-Wegman + Counter Mode; EAX; CHM: CENC + hash; CCFB: between one and two-pass. isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 8 / 32

  11. Some AE(AD) Schemes from Block Ciphers Two-pass: Cost per block (approx): 2[BC] or 1[BC]+1[M] . CCM: Counter + CBC-MAC; standardised by NIST (USA). GCM: Counter + (universal) hash; standardised by NIST (USA). CWC: Carter-Wegman + Counter Mode; EAX; CHM: CENC + hash; CCFB: between one and two-pass. Single-pass: Cost per block (approx): 1[BC]+ SOMETHING . Constructions having associated (US) patents: IACBC, IAPM: (Jutla, 2001); XCBC, XECB: (Gligor-Donescu, 2001); OCB: (Rogaway et al, 2001; Rogaway 2004; Krovetz-Rogaway, 2011). isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 8 / 32

  12. Some AE(AD) Schemes from Block Ciphers Two-pass: Cost per block (approx): 2[BC] or 1[BC]+1[M] . CCM: Counter + CBC-MAC; standardised by NIST (USA). GCM: Counter + (universal) hash; standardised by NIST (USA). CWC: Carter-Wegman + Counter Mode; EAX; CHM: CENC + hash; CCFB: between one and two-pass. Single-pass: Cost per block (approx): 1[BC]+ SOMETHING . Constructions having associated (US) patents: IACBC, IAPM: (Jutla, 2001); XCBC, XECB: (Gligor-Donescu, 2001); OCB: (Rogaway et al, 2001; Rogaway 2004; Krovetz-Rogaway, 2011). Constructions without assoicated patents: Chakraborty-Sarkar (2006, 2008); Sarkar (2010). isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 8 / 32

  13. AE(AD) from Tweakable Block Ciphers isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 9 / 32

  14. (Tweakable) Block Ciphers msg blk cpr blk key K key K Encrypt Decrypt msg blk cpr blk msg blk cpr blk tweak T key K tweak T key K Encrypt Decrypt msg blk cpr blk Non-secret tweak allows flexibility in designing applications. isilogo Formalised by Liskov-Rivest-Wagner (2002). Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 10 / 32

  15. TBC and Modes of Operations Rogaway (2004). Provides efficient construction of a TBC family. Introduces a technique for using a TBC family to construct different modes of operations. isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 11 / 32

  16. TBC and Modes of Operations Rogaway (2004). Provides efficient construction of a TBC family. Introduces a technique for using a TBC family to construct different modes of operations. Chakraborty-Sarkar (2006, 2008). A new TBC family obtained by generalising Rogaway’s construction. Can be instantiated over GF ( 2 n ) or Z 2 n . Provides two techniques for constructing modes of operations. The first technique generalises Rogaway’s work. A second new technique. Provides a family of modes of operations for MAC, AE and AEAD. Only one of each kind was known earlier. isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 11 / 32

  17. From BC to TBC (Generalising Rogaway 2004) N , l ( M ) = E K ( M + ∆) . XE Construction (tweakable PRP): � E K N , l ( M ) = E K ( M + ∆) − ∆ . XEX Construction (tweakable SPRP): � E K where ∆ = f l ( N ) and N = E K ( N ) . f 1 , f 2 , . . . is a masking sequence. ( N , l ) is the tweak; tweak space is { 0 , 1 } n × { 1 , 2 , . . . , 2 n − 2 } . Addition (and subtraction) is over a ring R . isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 12 / 32

  18. From BC to TBC (Generalising Rogaway 2004) N , l ( M ) = E K ( M + ∆) . XE Construction (tweakable PRP): � E K N , l ( M ) = E K ( M + ∆) − ∆ . XEX Construction (tweakable SPRP): � E K where ∆ = f l ( N ) and N = E K ( N ) . f 1 , f 2 , . . . is a masking sequence. ( N , l ) is the tweak; tweak space is { 0 , 1 } n × { 1 , 2 , . . . , 2 n − 2 } . Addition (and subtraction) is over a ring R . The generalisation arises from the notion of masking sequence and working over R . isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 12 / 32

  19. Masking Sequence: Definition f 1 , f 2 , . . . , f m is an ( n , m , µ ) masking sequence if: ( f s : { 0 , 1 } n → { 0 , 1 } n ) 1 Prob [ f s ( N ) = α ] ≤ µ 1 Prob [ f s ( N ) = N + α ] ≤ µ 1 Prob [ f s ( N ) = f t ( N ) + α ] ≤ µ 1 Prob [ f s ( N ) = f t ( N ′ ) + α ] ≤ µ where N and N ′ are randomly and independently chosen from { 0 , 1 } n . α is any fixed n -bit string. isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 13 / 32

  20. Instantiations of R R as GF ( 2 n ) : Define f i ( N ) = N G i where G is an n × n binary matrix whose characteristic polynomial is primitive over GF ( 2 ) . f 1 , f 2 , . . . , f 2 n − 2 is an ( n , 2 n − 2 , 2 n ) masking sequence. Efficient instantiations of G : powering method, (word oriented) LFSR, CA. isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 14 / 32

  21. Instantiations of R R as GF ( 2 n ) : Define f i ( N ) = N G i where G is an n × n binary matrix whose characteristic polynomial is primitive over GF ( 2 ) . f 1 , f 2 , . . . , f 2 n − 2 is an ( n , 2 n − 2 , 2 n ) masking sequence. Efficient instantiations of G : powering method, (word oriented) LFSR, CA. R as Z 2 n : Let p = 2 n + δ be a prime, with δ as small as possible, eg: p = 2 128 + 51. Define f i ( N ) = (( i + 1 ) N mod p ) mod 2 n . f 1 , f 2 , . . . , f 2 n − 2 is an ( n , 2 n − 2 , 2 n − 1 / ( δ + 1 )) masking sequence. isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 14 / 32

  22. Instantiations of R R as GF ( 2 n ) : Define f i ( N ) = N G i where G is an n × n binary matrix whose characteristic polynomial is primitive over GF ( 2 ) . f 1 , f 2 , . . . , f 2 n − 2 is an ( n , 2 n − 2 , 2 n ) masking sequence. Efficient instantiations of G : powering method, (word oriented) LFSR, CA. R as Z 2 n : Let p = 2 n + δ be a prime, with δ as small as possible, eg: p = 2 128 + 51. Define f i ( N ) = (( i + 1 ) N mod p ) mod 2 n . f 1 , f 2 , . . . , f 2 n − 2 is an ( n , 2 n − 2 , 2 n − 1 / ( δ + 1 )) masking sequence. Rogaway (2004): R as GF ( 2 n ) with the powering construction. isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 14 / 32

  23. From TBC to AE E with tweak space { 0 , 1 } n × { 1 , 2 , . . . , 2 n / 2 } × { 0 , 1 } . XEX-TBC � isilogo Palash Sarkar (ISI, Kolkata) AEAD Constructions DIAC 2012 15 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Early Clinical Contact and Communication Skills Prof. Vincenzo Fodale The Chain of Survival The

Early Clinical Contact and Communication Skills Prof. Vincenzo Fodale The Chain of Survival The

Medicine and Surgery Early Clinical Contact and Communication Skills Prof. Vincenzo Fodale The Chain of Survival The Chain of Survival summarises the vital links needed for successful resuscitation. Most of these links apply to victimsof both

392 views • 35 slides
Segmentation to Extraction of Constructions: Two Sides of the Same Algorithmic Coin Jean-Pierre

Segmentation to Extraction of Constructions: Two Sides of the Same Algorithmic Coin Jean-Pierre

From Chinese Word Segmentation to Extraction of Constructions: Two Sides of the Same Algorithmic Coin Jean-Pierre Colson University of Louvain, Belgium 1. Chinese Word Segmentation (CWS) and MWEs (face red ear hot: flush min

473 views • 22 slides
Zenon Modulo: When Achilles Outruns the Tortoise using Deduction Modulo November 18, 2013 David

Zenon Modulo: When Achilles Outruns the Tortoise using Deduction Modulo November 18, 2013 David

Zenon Modulo: When Achilles Outruns the Tortoise using Deduction Modulo November 18, 2013 David Delahaye David.Delahaye@cnam.fr Cnam / Inria, CPR / Deducteam, Paris, France GDR GPL, GT LTP , LaBRI, Bordeaux, France Proof Search in Axiomatic

693 views • 50 slides
WELCOME 2017-18 DIAA NFHS Rules Clinic DIAA STAFF Thomas E. Neubauer, CMAA Executive

WELCOME 2017-18 DIAA NFHS Rules Clinic DIAA STAFF Thomas E. Neubauer, CMAA Executive

WELCOME 2017-18 DIAA NFHS Rules Clinic DIAA STAFF Thomas E. Neubauer, CMAA Executive Director Terre Taylor Coordinator of Interscholastic Athletics teresa.taylor@doe.k12.de.us Tina M. Bates Secretary Main Number: 302-857-3365 DIAA

630 views • 42 slides
Carrots, Sticks and Other Smart Tricks Seth Blumsack Penn State University and Santa Fe

Carrots, Sticks and Other Smart Tricks Seth Blumsack Penn State University and Santa Fe

Carrots, Sticks and Other Smart Tricks Seth Blumsack Penn State University and Santa Fe Institute Other people whose tricks make me look smart: Paul Hines, Jason Clothiaux, Suman Gautam, Roger Mina Support from DOE and Green Mountain

353 views • 31 slides
Data Driven Strategies for Drowning Prevention April 12, 2017 About the National Center The

Data Driven Strategies for Drowning Prevention April 12, 2017 About the National Center The

Data Driven Strategies for Drowning Prevention April 12, 2017 About the National Center The National Center for Fatality Review and Prevention is a resource and data center that supports child death review (CDR) and fetal and infant mortality

1.05k views • 76 slides
Surface display of human cytochrome P450 enzymes 3A4, 1A2, 2C9, 2C19 and 2D6 with cytochrome P450

Surface display of human cytochrome P450 enzymes 3A4, 1A2, 2C9, 2C19 and 2D6 with cytochrome P450

Surface display of human cytochrome P450 enzymes 3A4, 1A2, 2C9, 2C19 and 2D6 with cytochrome P450 reductase for drug metabolism studies Haijin Tian 1, *, Paul Quehl 1 , Joel Hollender 1 and Joachim Jose 1 1 Institute of Pharmaceutical and

245 views • 10 slides
Drowning and Water-Incidents -- Arizona and Maricopa County-- Data from Arizona Vital Statistics

Drowning and Water-Incidents -- Arizona and Maricopa County-- Data from Arizona Vital Statistics

Drowning and Water-Incidents -- Arizona and Maricopa County-- Data from Arizona Vital Statistics and Fire Departments in Maricopa County Tim Flood, MD 1 CHILD DROWNING WATER-RELATED DATA What we know / What we dont Death data

250 views • 21 slides

More recommend