riv and resilient authenticated encryption
play

RIV and Resilient Authenticated Encryption Farzaneh Abed 1 , - PowerPoint PPT Presentation

Jan 03, 2024 •745 likes •1.16k views

RIV and Resilient Authenticated Encryption Farzaneh Abed 1 , Christian Forler 2 , Eik List 1 , Stefan Lucks 1 , Jakob Wenzel 1 1 Bauhaus-Universitt Weimar 2 Hochschule Schmalkalden Dagstuhl, Jan 10-15, 2016 Section 1 RIV Dagstuhl, Jan 10-15,

  1. RIV and Resilient Authenticated Encryption Farzaneh Abed 1 , Christian Forler 2 , Eik List 1 , Stefan Lucks 1 , Jakob Wenzel 1 1 Bauhaus-Universität Weimar 2 Hochschule Schmalkalden Dagstuhl, Jan 10-15, 2016

  2. Section 1 RIV Dagstuhl, Jan 10-15, 2016 2/19 Bauhaus-Universität Weimar RIV and Resilient AE

  3. What is RIV? Nonce-based AE scheme Authenticity and privacy in standard setting Derived from SIV Robust Full authenticity + DAE-privacy under nonce re-use ( like SIV ) Preserves security properties under release of unverified plaintexts ( unlike SIV ) Provably secure, assuming only the AES is secure Inverse-free Efficient instantiation (pseudo-dot-product hashing + AES) Dagstuhl, Jan 10-15, 2016 3/19 Bauhaus-Universität Weimar RIV and Resilient AE

  4. Recent Definitions for “Robustness” Boldyreva et al.’13 Studied effects of multiple distintinguishable error messages in probabilistic or stateful schemes. Andreeva et al.’14 Captured remaining security under release of unverified plaintexts (RUP). Hoang et al.’15 Defined robust AE (RAE) as a notion for best achievable security of an AE scheme with a user-chosen ciphertext expansion. Badertscher et al.’15 Investigated RAE with the frameworks by Maurer and Renner. Barwell et al.’15 Defined subtle AE as reference framework for the other notions. Model leakage beyond that of invalid plaintext; allows to model leakage as a property of the decryption implementation rather than of the scheme. Dagstuhl, Jan 10-15, 2016 4/19 Bauhaus-Universität Weimar RIV and Resilient AE

  5. Previous Robust AE Schemes Four CAESAR candidates: Julius [Bahack]: no 2nd-round CAESAR candidate POET [Abed et al.]: on-line APE [Andreeva et al.]: on-line AEZ [Hoang et al.]: “proof-then-prune” (see below) Beyond CAESAR: Mr. Monster Burrito [Bertoni et al.’14] Protected IV [Shrimpton and Terashima’13] OleF [Bhaumik and Nandi’15]: on-line mCPFB [Chakraborti et al.’15]: on-line, rate-3/4 sp-AELM [Agrawal et al.’15]: on-line encryption, off-line decryption Theoretically, any secure STPRP can be transformed into a robust AE scheme using Encode-then-Encipher [Hoang et al.’14]. Dagstuhl, Jan 10-15, 2016 5/19 Bauhaus-Universität Weimar RIV and Resilient AE

  6. “Prove” – AEZ, as Proven Secure black boxes: block ciphers .......... first 2m message blocks .......... last 2 blocks M M’ M M’ M M’ 1 1 m m m+1 m+1 X X 1 X m S Y S Y m 1 S � � � � � � � � � � � � Y C1 C’ Cm C’ Cm+1 C’ 1 m m+1 Dagstuhl, Jan 10-15, 2016 6/19 Bauhaus-Universität Weimar RIV and Resilient AE

  7. “Then Prune” – The Proposed Instantiation of AEZ Except for two calls, all block-cipher invocations are replaced by 4-round AES .......... first 2m message blocks .......... last 2 blocks M M’ M M’ M M’ 1 1 m m m+1 m+1 ���� ���� ��� ��� ��� ��� ���� ���� ��� ��� ��� ��� ���� ���� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ��� ���� ���� ��� ��� ���� ���� ��� ��� � � � � � � � � � � � � ���� ���� ��� ��� ���� ���� ��� ��� ���� ���� ��� ��� ��� ��� ���� ���� ��� ��� ��� ��� C1 C’ Cm C’ Cm+1 C’ 1 m m+1 Dagstuhl, Jan 10-15, 2016 7/19 Bauhaus-Universität Weimar RIV and Resilient AE

  8. “Deterministic AE” with SIV Rogaway and Shrimpton’06 H/N: Header and nonce M: Message C/T: Ciphertext (with tag) H/N M PRF CTR T C Dagstuhl, Jan 10-15, 2016 8/19 Bauhaus-Universität Weimar RIV and Resilient AE

  9. “Deterministic AE” with SIV Rogaway and Shrimpton’06 H/N: Header and nonce M: Message C/T: Ciphertext (with tag) H/N M PRF Secure against nonce-respecting adversaries CTR T C Dagstuhl, Jan 10-15, 2016 8/19 Bauhaus-Universität Weimar RIV and Resilient AE

  10. “Deterministic AE” with SIV Rogaway and Shrimpton’06 H/N: Header and nonce M: Message C/T: Ciphertext (with tag) H/N M PRF Secure against nonce-respecting adversaries CTR Maximum resilience to nonce reuse T C Dagstuhl, Jan 10-15, 2016 8/19 Bauhaus-Universität Weimar RIV and Resilient AE

  11. “Deterministic AE” with SIV Rogaway and Shrimpton’06 H/N: Header and nonce M: Message C/T: Ciphertext (with tag) H/N M PRF Secure against nonce-respecting adversaries CTR Maximum resilience to nonce reuse T C Off-line Dagstuhl, Jan 10-15, 2016 8/19 Bauhaus-Universität Weimar RIV and Resilient AE

  12. “Deterministic AE” with SIV Rogaway and Shrimpton’06 H/N: Header and nonce M: Message C/T: Ciphertext (with tag) H/N M PRF Secure against nonce-respecting adversaries CTR Maximum resilience to nonce reuse T C Off-line No resilience to RUP ( ≈ one-time-pad used twice) Dagstuhl, Jan 10-15, 2016 8/19 Bauhaus-Universität Weimar RIV and Resilient AE

  13. RIV: SIV with one more round zero H/N M H/N: Header and nonce M: Message PRF−1 C/T: Ciphertext (with tag) zero: constant 0 n CTR R PRF−2 T C Dagstuhl, Jan 10-15, 2016 9/19 Bauhaus-Universität Weimar RIV and Resilient AE

  14. RIV: SIV with one more round zero H/N M H/N: Header and nonce M: Message PRF−1 C/T: Ciphertext (with tag) zero: constant 0 n CTR R Same properties as SIV PRF−2 Except for T C Maximum resilience to RUP Dagstuhl, Jan 10-15, 2016 9/19 Bauhaus-Universität Weimar RIV and Resilient AE

  15. RIV: Ideas for Security Proof Security up to birthday bound Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new zero H/N M query ( H / N , M ) PRF−1 CTR R PRF−2 T C Dagstuhl, Jan 10-15, 2016 10/19 Bauhaus-Universität Weimar RIV and Resilient AE

  16. RIV: Ideas for Security Proof Security up to birthday bound Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new zero H/N M query ( H / N , M ) → C and T are random PRF−1 R CTR PRF−2 T C Dagstuhl, Jan 10-15, 2016 10/19 Bauhaus-Universität Weimar RIV and Resilient AE

  17. RIV: Ideas for Security Proof Security up to birthday bound Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new zero H/N M query ( H / N , M ) → C and T are random PRF−1 Chosen (H/N. T. C): PRF-2 will produce a CTR R random R for every new ( H / N , C ) PRF−2 T C Dagstuhl, Jan 10-15, 2016 10/19 Bauhaus-Universität Weimar RIV and Resilient AE

  18. RIV: Ideas for Security Proof Security up to birthday bound Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new zero H/N M query ( H / N , M ) → C and T are random PRF−1 Chosen (H/N. T. C): PRF-2 will produce a CTR R random R for every new ( H / N , C ) PRF−2 For old ( H / N , C ) the value T must be new – and thus R T C Dagstuhl, Jan 10-15, 2016 10/19 Bauhaus-Universität Weimar RIV and Resilient AE

  19. RIV: Ideas for Security Proof Security up to birthday bound Chosen plaintext (H/N. M): PRF-1 will produce a random R for every new zero H/N M query ( H / N , M ) → C and T are random PRF−1 Chosen (H/N. T. C): PRF-2 will produce a R CTR random R for every new ( H / N , C ) PRF−2 For old ( H / N , C ) the value T must be new – and thus R T C → M is random, and → Output of PRF-1 will not match Dagstuhl, Jan 10-15, 2016 10/19 Bauhaus-Universität Weimar RIV and Resilient AE

  20. Instantiation of RIV Based on AES-128 PRFs: Encode-Hash-Encrypt: Unique encoding for inputs Apply CLHASH, a multi-stage universal hash function Feed result into block cipher Encryption: AES in CTR mode Dagstuhl, Jan 10-15, 2016 11/19 Bauhaus-Universität Weimar RIV and Resilient AE

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech

DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech

A Key Management Scheme for DPA-Protected Authenticated Encryption Mostafa Taha and Patrick Schaumont Virginia Tech DIAC-2013 This research was supported in part by the VT-MENA program of Egypt, and by NSF grant no. 1115839. Leakage-Resilient

636 views • 48 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides
How much meaning can you pack into a real-valued vector? Semantic similarity measuring using

How much meaning can you pack into a real-valued vector? Semantic similarity measuring using

How much meaning can you pack into a real-valued vector? Semantic similarity measuring using recursive auto-encoders Wojciech Walczak Samsung R&D Institute Poland, 2016 Agenda Why are we here? Why is paraphrase detection important?

483 views • 22 slides
Identifying Relevant Sources for Data Linking using a Semantic Web Index Andriy Nikolov Mathieu

Identifying Relevant Sources for Data Linking using a Semantic Web Index Andriy Nikolov Mathieu

Identifying Relevant Sources for Data Linking using a Semantic Web Index Andriy Nikolov Mathieu dAquin Knowledge Media Institute The Open University, UK How to link a new dataset? What other repositories contain relevant data which I

546 views • 16 slides
Extensible and Scalable Network Monitoring Using OpenSAFE Jeffrey R. Ballard Ian Rae Aditya

Extensible and Scalable Network Monitoring Using OpenSAFE Jeffrey R. Ballard Ian Rae Aditya

Background OpenSAFE and ALARMS Implementation Conclusion Extensible and Scalable Network Monitoring Using OpenSAFE Jeffrey R. Ballard Ian Rae Aditya Akella Jeffrey R. Ballard, Ian Rae, Aditya Akella Extensible and Scalable Network

817 views • 36 slides
Applying QM Standards: The Process and Product of a Program Review Rae Mancilla, Ed.D. &

Applying QM Standards: The Process and Product of a Program Review Rae Mancilla, Ed.D. &

Applying QM Standards: The Process and Product of a Program Review Rae Mancilla, Ed.D. & Barbara Frey, D.Ed. Agenda Introductions Program background Review process Report critique Discussion Q/A Session Objectives

654 views • 16 slides
Combining Teaching and Research in Text-Mining from Social and Cultural Data Claire Brierley and

Combining Teaching and Research in Text-Mining from Social and Cultural Data Claire Brierley and

School of something FACULTY OF OTHER Combining Teaching and Research in Text-Mining from Social and Cultural Data Claire Brierley and Eric Atwell School of Games Computing and Creative Technologies, University of Bolton and School of

551 views • 17 slides
How Much Self-Attention Do We Need? Trading Attention for Feed-Forward Layers Kazuki Irie *,

How Much Self-Attention Do We Need? Trading Attention for Feed-Forward Layers Kazuki Irie *,

How Much Self-Attention Do We Need? Trading Attention for Feed-Forward Layers Kazuki Irie *, Alexander Gerstenberger, Ralf Schl uter, Hermann Ney Human Language Technology and Pattern Recognition Group RWTH Aachen University, Aachen, Germany

407 views • 17 slides
The case against specialized graph engines Jing Fan, Adalbert Gerald

The case against specialized graph engines Jing Fan, Adalbert Gerald

The case against specialized graph engines Jing Fan, Adalbert Gerald Soosai Raj, and Jignesh M. Patel University of Wisconsin Madison 01/06/2015 University of WisconsinMadison 1 Motivation Graph

442 views • 21 slides
Measu easuri ring What Mat atters: : KPI PIs for Data Quality, Cost st, and Sp Speed

Measu easuri ring What Mat atters: : KPI PIs for Data Quality, Cost st, and Sp Speed

Measu easuri ring What Mat atters: : KPI PIs for Data Quality, Cost st, and Sp Speed Panelists: Smita Asare , Executive Director, I-SPY Trials Operations at Quantum Leap Healthcare Collaborative Iris Castro, MPH, CCRP , Clinical Project

835 views • 19 slides

More recommend