revisiting counter mode to repair galois counter mode
play

Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin - PowerPoint PPT Presentation

Aug 02, 2023 •199 likes •917 views

Intro Repairing GCM Simeck Design Summery Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada Aug 12, 2013 1 of 32 Revisiting CM to Repair GCM Intro Repairing GCM Simeck

  1. Intro Repairing GCM Simeck Design Summery Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada Aug 12, 2013 1 of 32 Revisiting CM to Repair GCM

  2. Intro Repairing GCM Simeck Design Summery Revisiting Counter Mode to Repair Galois/Counter Mode and Simeck: An Authenticated Cipher Design Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada Aug 12, 2013 2 of 32 Revisiting CM to Repair GCM, and Simeck

  3. Intro Repairing GCM Simeck Design Summery Motivations ◮ To study existing modes of operations ◮ Before designing authenticated ciphers 3 of 32 Revisiting CM to Repair GCM, and Simeck

  4. Intro Repairing GCM Simeck Design Summery Motivations ◮ To study existing modes of operations ◮ Before designing authenticated ciphers ◮ Recent attacks on GCM ◮ A flaw found in GCM’s security proofs in Crypto’12 ◮ Forgery attacks in FSE’12 and FSE’13 3 of 32 Revisiting CM to Repair GCM, and Simeck

  5. Intro Repairing GCM Simeck Design Summery Motivations ◮ To study existing modes of operations ◮ Before designing authenticated ciphers ◮ Recent attacks on GCM ◮ A flaw found in GCM’s security proofs in Crypto’12 ◮ Forgery attacks in FSE’12 and FSE’13 ◮ To study lightweight cipher designs ◮ To use with mode of operation 3 of 32 Revisiting CM to Repair GCM, and Simeck

  6. Intro Repairing GCM Simeck Design Summery Motivations ◮ To study existing modes of operations ◮ Before designing authenticated ciphers ◮ Recent attacks on GCM ◮ A flaw found in GCM’s security proofs in Crypto’12 ◮ Forgery attacks in FSE’12 and FSE’13 ◮ To study lightweight cipher designs ◮ To use with mode of operation ◮ Two block ciphers designed by people from NSA 3 of 32 Revisiting CM to Repair GCM, and Simeck

  7. Intro Repairing GCM Simeck Design Summery Outline Intro to Galois/Counter Mode Repairing Galois/Counter Mode The flaw in GCM’s proofs discovered by Iwata et al. A fix to GCM’s security proofs and bounds Simeck: A Simple Authenticated Cipher Design Design Rationales Specifications Summery and Future Work 4 of 32 Revisiting CM to Repair GCM, and Simeck

  8. Intro Repairing GCM Simeck Design Summery Outline Intro to Galois/Counter Mode Repairing Galois/Counter Mode The flaw in GCM’s proofs discovered by Iwata et al. A fix to GCM’s security proofs and bounds Simeck: A Simple Authenticated Cipher Design Design Rationales Specifications Summery and Future Work 5 of 32 Revisiting CM to Repair GCM, and Simeck

  9. Intro Repairing GCM Simeck Design Summery Galois/Counter Mode (GCM) ◮ One design of AEAD by McGrew and Viega in 2005 ◮ Counter Mode (CM) for encryption ◮ Galois MAC (GMAC) for authentication ◮ GCM comparing to CCM (CM + CBC-MAC) ◮ Less popular than CCM for historical reasons ◮ Supported by OpenSSH from v6.2 (March 2013) ◮ Incluced in NSA Suite B (CCM isn’t in) ◮ Suite A is classified ◮ Parallelizable computation 6 of 32 Revisiting CM to Repair GCM, and Simeck

  10. Intro Repairing GCM Simeck Design Summery Authentication by Galois MAC (GMAC) Additions and multiplications in GF (2 128 ) ◮ Authentication key: H = E K (0) The image is from Procter and Cid’s slides in FSE’13. 7 of 32 Revisiting CM to Repair GCM, and Simeck

  11. Intro Repairing GCM Simeck Design Summery Polynomial Based GHASH ◮ GMAC = GHASH ( H , A , C ) + E K ( IV ) ◮ GHASH m M i × H m − i +1 = g M ( H ) � h H ( M ) = i =1 ◮ Note: constant term is zero 8 of 32 Revisiting CM to Repair GCM, and Simeck

  12. Intro Repairing GCM Simeck Design Summery Encryption in Counter Mode (CM) The image is from Saarinen’s paper in FSE’12. 9 of 32 Revisiting CM to Repair GCM, and Simeck

  13. Intro Repairing GCM Simeck Design Summery Counter Generation ◮ Initial counter ◮ N 0 = IV || 0 32 , if len ( IV ) = 96 ◮ N 0 = GHASH H ( IV ), if len ( IV ) � = 96 10 of 32 Revisiting CM to Repair GCM, and Simeck

  14. Intro Repairing GCM Simeck Design Summery Counter Generation ◮ Initial counter ◮ N 0 = IV || 0 32 , if len ( IV ) = 96 ◮ N 0 = GHASH H ( IV ), if len ( IV ) � = 96 ◮ Generating counters N r +1 = msb 96 ( N r ) || lsb 32 ( N r ) ⊞ 1 10 of 32 Revisiting CM to Repair GCM, and Simeck

  15. Intro Repairing GCM Simeck Design Summery Counter Generation ◮ Initial counter ◮ N 0 = IV || 0 32 , if len ( IV ) = 96 ◮ N 0 = GHASH H ( IV ), if len ( IV ) � = 96 ◮ Generating counters N r +1 = msb 96 ( N r ) || lsb 32 ( N r ) ⊞ 1 ◮ Security of GCM highly depends the prob of counter collisions ◮ N ′ 0 = N ′′ 0 , N ′ r 1 = N ′′ r 2 10 of 32 Revisiting CM to Repair GCM, and Simeck

  16. Intro Repairing GCM Simeck Design Summery Counter Generation ◮ Initial counter ◮ N 0 = IV || 0 32 , if len ( IV ) = 96 ◮ N 0 = GHASH H ( IV ), if len ( IV ) � = 96 ◮ Generating counters N r +1 = msb 96 ( N r ) || lsb 32 ( N r ) ⊞ 1 ◮ Security of GCM highly depends the prob of counter collisions ◮ N ′ 0 = N ′′ 0 , N ′ r 1 = N ′′ r 2 ◮ if len ( IV ) � = 96, GHASH ( IV 1 ) = GHASH ( IV 2 ), GHASH ( IV 1 ) ⊞ r 1 = GHASH ( IV 2 ) ⊞ r 2 10 of 32 Revisiting CM to Repair GCM, and Simeck

  17. Intro Repairing GCM Simeck Design Summery Counter Generation ◮ Initial counter ◮ N 0 = IV || 0 32 , if len ( IV ) = 96 ◮ N 0 = GHASH H ( IV ), if len ( IV ) � = 96 ◮ Generating counters N r +1 = msb 96 ( N r ) || lsb 32 ( N r ) ⊞ 1 ◮ Security of GCM highly depends the prob of counter collisions ◮ N ′ 0 = N ′′ 0 , N ′ r 1 = N ′′ r 2 ◮ if len ( IV ) � = 96, GHASH ( IV 1 ) = GHASH ( IV 2 ), GHASH ( IV 1 ) ⊞ r 1 = GHASH ( IV 2 ) ⊞ r 2 ◮ GHASH ( IV 1 ) ⊞ ( r 1 − r 2 ) = GHASH ( IV 2 ) 10 of 32 Revisiting CM to Repair GCM, and Simeck

  18. Intro Repairing GCM Simeck Design Summery Counter Generation (Cont.) GHASH ( IV 1 ) ⊞ r = GHASH ( IV 2 ) h H ( IV 1 ) ⊞ r = h H ( IV 2 ) 11 of 32 Revisiting CM to Repair GCM, and Simeck

  19. Intro Repairing GCM Simeck Design Summery Counter Generation (Cont.) GHASH ( IV 1 ) ⊞ r = GHASH ( IV 2 ) h H ( IV 1 ) ⊞ r = h H ( IV 2 ) g IV 1 ( H ) ⊞ r = g IV 2 ( H ) 11 of 32 Revisiting CM to Repair GCM, and Simeck

  20. Intro Repairing GCM Simeck Design Summery Counter Generation (Cont.) GHASH ( IV 1 ) ⊞ r = GHASH ( IV 2 ) h H ( IV 1 ) ⊞ r = h H ( IV 2 ) g IV 1 ( H ) ⊞ r = g IV 2 ( H ) ◮ For a randomly chosen H , the collision prob is # { x : x ∈ GF (2 128 ) | g IV 1 ( x ) ⊞ r = g IV 2 ( x ) } 2 128 11 of 32 Revisiting CM to Repair GCM, and Simeck

  21. Intro Repairing GCM Simeck Design Summery Counter Generation (Cont.) GHASH ( IV 1 ) ⊞ r = GHASH ( IV 2 ) h H ( IV 1 ) ⊞ r = h H ( IV 2 ) g IV 1 ( H ) ⊞ r = g IV 2 ( H ) ◮ For a randomly chosen H , the collision prob is # { x : x ∈ GF (2 128 ) | g IV 1 ( x ) ⊞ r = g IV 2 ( x ) } 2 128 ◮ In the original security proofs of GCM, it was believed g IV 1 ( x ) ⊞ r = g IV 2 ( x ) has the same number of solutions as g IV 1 ( x ) ⊕ r = g IV 2 ( x ) 11 of 32 Revisiting CM to Repair GCM, and Simeck

  22. Intro Repairing GCM Simeck Design Summery Counter Generation (Cont.) GHASH ( IV 1 ) ⊞ r = GHASH ( IV 2 ) h H ( IV 1 ) ⊞ r = h H ( IV 2 ) g IV 1 ( H ) ⊞ r = g IV 2 ( H ) ◮ For a randomly chosen H , the collision prob is # { x : x ∈ GF (2 128 ) | g IV 1 ( x ) ⊞ r = g IV 2 ( x ) } 2 128 ◮ In the original security proofs of GCM, it was believed g IV 1 ( x ) ⊞ r = g IV 2 ( x ) has the same number of solutions as g IV 1 ( x ) ⊕ r = g IV 2 ( x ) which is upper-bounded by max { deg ( g IV 1 ( x )) , deg ( g IV 2 ( x )) } = max { len ( IV 1 ) , len ( IV 2 ) } + 1 11 of 32 Revisiting CM to Repair GCM, and Simeck

  23. Intro Repairing GCM Simeck Design Summery Provable Security Reparing GCM Outline Intro to Galois/Counter Mode Repairing Galois/Counter Mode The flaw in GCM’s proofs discovered by Iwata et al. A fix to GCM’s security proofs and bounds Simeck: A Simple Authenticated Cipher Design Design Rationales Specifications Summery and Future Work 12 of 32 Revisiting CM to Repair GCM, and Simeck

  24. Intro Repairing GCM Simeck Design Summery Provable Security Reparing GCM Problem in N r ⊞ 1 ◮ Pointed out by Iwata et al. in Crypto’12 ◮ N r ⊞ 1 is non-linear in Galois field ◮ f ( x ) ⊞ r = g ( x ) can be converted to multiple forms of equations in GF 13 of 32 Revisiting CM to Repair GCM, and Simeck

  25. Intro Repairing GCM Simeck Design Summery Provable Security Reparing GCM Problem in N r ⊞ 1 ◮ Pointed out by Iwata et al. in Crypto’12 ◮ N r ⊞ 1 is non-linear in Galois field ◮ f ( x ) ⊞ r = g ( x ) can be converted to multiple forms of equations in GF ◮ Much more solutions than expected max { len ( IV 1 ) , len ( IV 2 ) } + 1 ◮ α r times more solutions ◮ for r < 2 32 , α r is up to 2 22 α r · (max { len ( IV 1 ) , len ( IV 2 ) } + 1) ≤ 2 22 · (max { len ( IV 1 ) , len ( IV 2 ) } + 1) 13 of 32 Revisiting CM to Repair GCM, and Simeck

  26. Intro Repairing GCM Simeck Design Summery Provable Security Reparing GCM Actual Security Bounds of GCM ◮ New security bounds of GCM were also given by Iwata et al. ◮ for both of privacy (encryption) and authenticity (MAC) ◮ almost 2 22 looser than originally claimed 14 of 32 Revisiting CM to Repair GCM, and Simeck

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

975 views • 74 slides
The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent,

The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent,

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion The Missing Difference Problem, and its Applications to Counter Mode Encryption Gatan Leurent, Ferdinand Sibleyras Inria, quipe SECRET EUROCRYPT 2018 1 /

856 views • 56 slides
OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Hkon Jacobsen

OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Hkon Jacobsen

1 OWCM: One-Way Counter Mode Danilo Gligoroski and Hristina Mihajloska and Hkon Jacobsen Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering Norwegian University of Science and

1.1k views • 45 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim (cj@coe.psu.ac.th) 8051 Timer/Counter Two internal Timers/Counters 16-bit timer/counter Timer uses system clock as source of input pulses Counter uses external

273 views • 8 slides
Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford

Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford

Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford University Joint work with: Yi Lu, Andrea Montanari , Sarang Dharmapurikar and Abdul Kabbani Overview Counter Braids Background: current

601 views • 30 slides
Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen (quannguyen@google.com) Google Information Security Engineer (ISE) My Job Conduct security reviews, i.e., play the attacker role mentioned in

516 views • 29 slides
Counter/Timers Overview ATmega328P has two 8-bit and one 16-bit counter/timers. Unit C

Counter/Timers Overview ATmega328P has two 8-bit and one 16-bit counter/timers. Unit C

C.1 C.2 Counter/Timers Overview ATmega328P has two 8-bit and one 16-bit counter/timers. Unit C Timers and Counters Can count at some rate up to a value, generate an interrupt and start over counting from 0. Useful for performing

402 views • 5 slides
Can We Understand Performance Counter Results? Vince Weaver ICL Lunch Talk 23 July 2010 How Do

Can We Understand Performance Counter Results? Vince Weaver ICL Lunch Talk 23 July 2010 How Do

Can We Understand Performance Counter Results? Vince Weaver ICL Lunch Talk 23 July 2010 How Do We Know if Counters are Working? Three common failures: Wrong counter (PAPI, Kernel, User) Counter works but gives wrong values Counter

376 views • 36 slides
LETS PLAY! 100 99 98 97 96 O o p s , S o Salty just got a little u r P s u s

LETS PLAY! 100 99 98 97 96 O o p s , S o Salty just got a little u r P s u s

How to play: Each player puts their counter on the space that says 'START'. Take it in turns to roll the dice. Move your counter forward the number of spaces shown on the dice. If your counter lands at the bottom of a ladder, you can move up to

390 views • 5 slides
For Loops and Arrays November 13, 2008 Counting Initialize counter Test counter against limit

For Loops and Arrays November 13, 2008 Counting Initialize counter Test counter against limit

For Loops and Arrays November 13, 2008 Counting Initialize counter Test counter against limit int fireworkCount = 0; while (fireworkCount &lt; NUM_IN_FINALE) { new Firework (...); Repeating Task fireworkCount++; } Increment counter

527 views • 4 slides
Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What

Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What

Org-mode Nick Higham April 22, 2013 Nick Higham Org-mode 1 / 7 University of Manchester What is Org Mode? Emacs mode for note taking task management tables and spreadsheets producing L A T EX documents and web pages literate

212 views • 7 slides
Decidable Problems for Counter Systems Day 1 Introduction to Counter Systems St ephane Demri

Decidable Problems for Counter Systems Day 1 Introduction to Counter Systems St ephane Demri

Decidable Problems for Counter Systems Day 1 Introduction to Counter Systems St ephane Demri demri@lsv.ens-cachan.fr LSV, ENS Cachan, CNRS, INRIA ESSLLI 2010, Copenhagen, August 2010 What is in the course? Analysis of Counter Systems

778 views • 65 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
Breaking and Repairing GCM Security Proofs Tetsu Iwata, Nagoya University Keisuke Ohashi, Nagoya

Breaking and Repairing GCM Security Proofs Tetsu Iwata, Nagoya University Keisuke Ohashi, Nagoya

Breaking and Repairing GCM Security Proofs Tetsu Iwata, Nagoya University Keisuke Ohashi, Nagoya University Kazuhiko Minematsu, NEC Corporation CRYPTO 2012 August 20, 2012, Santa Barbara, USA GCM Galois/Counter Mode authenticated encryption

414 views • 29 slides
Educational topic: FT8 digital mode What is FT8 Digital operating mode that started gaining

Educational topic: FT8 digital mode What is FT8 Digital operating mode that started gaining

Educational topic: FT8 digital mode What is FT8 Digital operating mode that started gaining momentum in 2017 Named after Its developers Steven Franke (K9AN) Joe Taylor (K1JT) Mode uses an 8-frequency shift keying format Signals occupy 50 Hz

472 views • 21 slides
Cyclic Sieving Phenomenon of Plane Partitions and Cluster Duality of Grassmannian Daping Weng

Cyclic Sieving Phenomenon of Plane Partitions and Cluster Duality of Grassmannian Daping Weng

Cyclic Sieving Phenomenon of Plane Partitions and Cluster Duality of Grassmannian Cyclic Sieving Phenomenon of Plane Partitions and Cluster Duality of Grassmannian Daping Weng Yale University March 2018 Joint work with Jiuzu Hong and Linhui

945 views • 78 slides
Some Algorithmic questions in Finite Group Theory V Arvind Institute of Mathematical Sciences,

Some Algorithmic questions in Finite Group Theory V Arvind Institute of Mathematical Sciences,

Some Algorithmic questions in Finite Group Theory V Arvind Institute of Mathematical Sciences, Chennai India email arvind@imsc.res.in June 30, 2015 Plan of Talk Permutation groups: background and some basic algorithms. Plan of Talk

1.62k views • 141 slides
Loop O ( n ) model on random quadrangulations: the cascade of loop perimeters 12 Pascal

Loop O ( n ) model on random quadrangulations: the cascade of loop perimeters 12 Pascal

Loop O ( n ) model on random quadrangulations: the cascade of loop perimeters 12 Pascal Maillard 6 4 1 2 3 4 5 2 1 1 (Universit Paris-Sud / Paris-Saclay) 2 11 12 21 based on joint work with 1 1 Linxiao Chen and Nicolas

913 views • 63 slides
Commutators cannot be proper powers in metric small-cancellation torsion-free groups Liza

Commutators cannot be proper powers in metric small-cancellation torsion-free groups Liza

Introduction How does the map look like? Transport network on the map Conclusion of the proof Commutators cannot be proper powers in metric small-cancellation torsion-free groups Liza Frenkel, Moscow State University based on joint result

397 views • 26 slides
Math-O-Trick NISER Open Day Devashish, Gaurish, Hitesh, Padma, Simran, Swaroop &amp; Swati 08

Math-O-Trick NISER Open Day Devashish, Gaurish, Hitesh, Padma, Simran, Swaroop &amp; Swati 08

Math-O-Trick NISER Open Day Devashish, Gaurish, Hitesh, Padma, Simran, Swaroop &amp; Swati 08 April 2017 Let x be the position of the card, from the top in a face down pack of n cards, that is left after performing the said procedure. Then x =

479 views • 11 slides
Dessins denfants and transcendental lattices of singular K 3 surfaces Dessins denfants

Dessins denfants and transcendental lattices of singular K 3 surfaces Dessins denfants

Dessins denfants and transcendental lattices of singular K 3 surfaces Dessins denfants and transcendental lattices of extremal elliptic surfaces Saitama, 2008 March Ichiro Shimada (Hokkaido University) = (Hiroshima University)

826 views • 33 slides
Symmetric coverings and the Bruck-Ryser-Chowla theorem Daniel Horsley (Monash University,

Symmetric coverings and the Bruck-Ryser-Chowla theorem Daniel Horsley (Monash University,

Symmetric coverings and the Bruck-Ryser-Chowla theorem Daniel Horsley (Monash University, Australia) Joint work with Darryn Bryant, Melinda Buchanan, Barbara Maenhaut and Victor Scharaschkin and with Nevena Franceti c and Sara Herke Part

1.22k views • 95 slides
Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario School of Mathematics and Statistics Carleton University daniel@math.carleton.ca ASCrypto (Advanced School of Cryptography) Latincrypt 2019

971 views • 62 slides

More recommend