reconsidering the security bound of aes gcm siv
play

Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and - PowerPoint PPT Presentation

Dec 14, 2022 •395 likes •1.11k views

Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya University, Japan 2 ANSSI, France March 7, 2018 FSE 2018

  1. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya University, Japan 2 ANSSI, France March 7, 2018 — FSE 2018 T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 1 / 26

  2. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26

  3. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26

  4. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26

  5. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26

  6. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Outline Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 3 / 26

  7. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Outline Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 4 / 26

  8. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  9. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  10. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  11. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  12. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  13. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  14. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  15. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OS Structure and Performance OS Structure and Performance Reconsidering the Kernel Interface

OS Structure and Performance OS Structure and Performance Reconsidering the Kernel Interface

OS Structure and Performance OS Structure and Performance Reconsidering the Kernel Interface Reconsidering the Kernel Interface Mach and NT are representative of systems that seek to provide richer, more general kernel interfaces than Unix.

523 views • 23 slides
Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart Mennink 2 Mridul Nandi 3 imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata December 3,

854 views • 47 slides
Reconsidering the Consequences of Worker Displacements: Survey versus Administrative Measurements

Reconsidering the Consequences of Worker Displacements: Survey versus Administrative Measurements

Reconsidering the Consequences of Worker Displacements: Survey versus Administrative Measurements Aaron Flaaen 1 Matthew Shapiro 2 3 Isaac Sorkin 2 4 1 Federal Reserve Board 2 University of Michigan 3 NBER 4 FRB Chicago SIEPR Conference on

704 views • 43 slides
1 Mach Overview Mach Overview Mach Mach Mach is more general than NT in that objects named by

1 Mach Overview Mach Overview Mach Mach Mach is more general than NT in that objects named by

Reconsidering the Kernel Interface Reconsidering the Kernel Interface Mach and NT are representative of systems that seek to provide richer, more general kernel interfaces than Unix. decouple elements of process abstraction OS Structure and

256 views • 4 slides
Reconsidering the Internet Routing Architecture Olivier Bonaventure Universit catholique de

Reconsidering the Internet Routing Architecture Olivier Bonaventure Universit catholique de

Reconsidering the Internet Routing Architecture Olivier Bonaventure Universit catholique de Louvain, Belgium March 12, 2007 1 Introduction The current growth of the BGP routing tables [15] and Forwarding Information bases (FIB) on core

299 views • 9 slides
GPUdrive : Reconsidering Storage Accesses for GPU Acceleration Mustafa Shihab, Karl Taht, and

GPUdrive : Reconsidering Storage Accesses for GPU Acceleration Mustafa Shihab, Karl Taht, and

GPUdrive : Reconsidering Storage Accesses for GPU Acceleration Mustafa Shihab, Karl Taht, and Myoungsoo Jung Computer Architecture and Memory Systems Laboratory Department of Electrical Engineering The University of Texas at Dallas Takeaways

582 views • 22 slides
Curriculum Why we are reconsidering the curriculum at Little Paxton Presentation by the Head

Curriculum Why we are reconsidering the curriculum at Little Paxton Presentation by the Head

Curriculum Why we are reconsidering the curriculum at Little Paxton Presentation by the Head Teacher to the Curriculum & Standards Committee 3/6/19 The difference between the National Curriculum and what is meant by the curriculum The

347 views • 9 slides
Consistency Analysis for Massively Inconsistent Datasets in Bound-to-Bound Data Collaboration

Consistency Analysis for Massively Inconsistent Datasets in Bound-to-Bound Data Collaboration

Consistency Analysis for Massively Inconsistent Datasets in Bound-to-Bound Data Collaboration Arun Hegde Wenyu Li James Oreluk Andrew Packard Michael Frenklach December 19, 2017 Abstract Bound-to-Bound Data Collaboration

462 views • 32 slides
Timeless Theory vs. Changing Users: Reconsidering Database Education Purpose of the Session

Timeless Theory vs. Changing Users: Reconsidering Database Education Purpose of the Session

Timeless Theory vs. Changing Users: Reconsidering Database Education Purpose of the Session Demonstration of subject matter mastery, teaching skills But theme topic required Focus on my two divergent roles Database and application

445 views • 28 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and Seth Terashima Portland State University 1 Tweakable blockciphers (TBCs) Tweak T Input block X ( bits) ( n bits) Add an extra input, a

732 views • 21 slides
The lattice model (continued) This satisfies the definition of lattice. There is a single

The lattice model (continued) This satisfies the definition of lattice. There is a single

The lattice model (continued) This satisfies the definition of lattice. There is a single source and sink. The least upper bound of the security classes {x} and {z} is {x,z} and the greatest lower bound of the security classes {x,y} and

698 views • 31 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
Reconsidering green industrial policy: Does techno-nationalism maximise green growth in the

Reconsidering green industrial policy: Does techno-nationalism maximise green growth in the

Reconsidering green industrial policy: Does techno-nationalism maximise green growth in the domestic economy? Addressing political economy concerns of investing in green industrial policy with increasing global competition in supplying green

534 views • 42 slides
if H has a b reak p oint k m H ( N ) Hoeffding Inequality Union Bound VC Bound

if H has a b reak p oint k m H ( N ) Hoeffding Inequality Union Bound VC Bound

Review of Leture 6 The V C Inequalit y is p olynomial if H has a b reak p oint k m H ( N ) Hoeffding Inequality Union Bound VC Bound space of k data sets 1 2 3 4 5 6 . . . 1 1 2 2 2 2 2 . . D 2

530 views • 25 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iMinds DIAC 2016 AEGIS 1 AEGIS: A shield carried by Athena and Zeus DIAC 2016 AEGIS 2 Different Design

524 views • 18 slides
Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This

Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This

Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This presentation may contain forward-looking information. Forward-looking statements describe expectations, plans, strategies, goals, future events or

602 views • 16 slides
Advances in Internet data flow transport ISAE-SUPAERO Macquarie University, the 22nd November

Advances in Internet data flow transport ISAE-SUPAERO Macquarie University, the 22nd November

Advances in Internet data flow transport ISAE-SUPAERO Macquarie University, the 22nd November 2018 ISAE-SUPAERO 2018 1 / 1 Toulouse complex for space and aeronautic Toulouse, south west of France 1 000 000 inhabitants and we love rugby

2.02k views • 170 slides
Data-driven time parallelism and model reduction Kevin Carlberg 1 , Lukas Brencher 2 , Bernard

Data-driven time parallelism and model reduction Kevin Carlberg 1 , Lukas Brencher 2 , Bernard

Data-driven time parallelism and model reduction Kevin Carlberg 1 , Lukas Brencher 2 , Bernard Haasdonk 2 , Andrea Barth 2 Sandia National Laboratories 1 University of Stuttgart 2 SIAM Conference on UQ April 7, 2016 Data-driven time parallelism

735 views • 35 slides
In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings General Concept Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3

780 views • 47 slides
Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F (

Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F (

1 2 Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 subkeys. far below 2 256 in most

881 views • 58 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and

Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and

Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and Formal Verification work co-funded by the PRINCE project Sabine Azzi, Bruno Barras, Maria Christofi , David Vigilant PROOFS workshop 2015, September

493 views • 45 slides

More recommend