spae
play

SPAE A Single Pass Authenticated Encryption scheme Philippe - PowerPoint PPT Presentation

Dec 31, 2023 •235 likes •519 views

Motivations Design of SPAE Security of the scheme Performances SPAE A Single Pass Authenticated Encryption scheme Philippe Elbaz-Vincent 1 , Cyril Hugounenq 1 , Sbastien Riou 2 1 Univ. Grenoble Alpes / Institut Fourier,

  1. Motivations Design of SPAE Security of the scheme Performances SPAE A Single Pass Authenticated Encryption scheme Philippe Elbaz-Vincent 1 , Cyril Hugounenq 1 , Sébastien Riou 2 1 Univ. Grenoble Alpes / Institut Fourier, philippe.elbaz-vincent@univ-grenoble-alpes.fr, cyril.hugounenq@univ-grenoble-alpes.fr 2 Tiempo, France, sebastien.riou@tiempo-secure.com This work is supported by SECURIOT-2-AAP FUI 23 and by ANR-15-IDEX-02. WRACH, Roscoff, 18 April, 2019 Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 1/22

  2. Motivations Design of SPAE Security of the scheme Performances Secure IC with external flash memory � Typical secure element/smart card: internal flash memory (everything on single chip) � Our goals: � Use external flash memory � Achieve same security level Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 2/22

  3. Motivations Design of SPAE Security of the scheme Performances What could go wrong ? � On the fly traffic analysis � Replay attacks Clear need for: � Confidentiality � Authenticity � Freshness Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 3/22

  4. Motivations Design of SPAE Security of the scheme Performances What could go wrong ? � On the fly traffic analysis � Replay attacks Clear need for: � Confidentiality � Authenticity � Freshness ⇒ We need an Authenticated Encryption scheme. Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 3/22

  5. Motivations Design of SPAE Security of the scheme Performances Authenticated Encryption (AE or AEAD) Symmetric encrypt-sign and decrypt-verify in a single algorithm K K N N C , C , P Enc Dec P or TAG failure TAG in TAG A A Our use case: � NONCE N generated and stored inside the secure element � Cipher-text C and TAG stored outside Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 4/22

  6. Motivations Design of SPAE Security of the scheme Performances Requirements of our scheme Optimization goals: � Silicon area, � Performance, energy efficiency (small message size), � Development effort. In the context of a secure element/smart card, this means: � Use AES (market constraint), � Use simple linear operators (XOR, rotate...), � Fast in single thread ⇒ Single Pass, � Prevent DFA attacks at algorithm level. Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 5/22

  7. Motivations Design of SPAE Security of the scheme Performances Existing AE schemes � 2 Passes: � AES-GCM[MV04] � AES-CCM [Dwo04] � COLM [ABD + 15] 1 � SIV [RS07] � Not using AES: � NORX [AJN14] � ASCON [DEMS16] � CHACHA20-POLY1305 [Ber08], [Ber05], RFC7539 � Ideal but patented: � OCB[RBB03] 1 Final portofolio members of CAESAR [Ber14] in green Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 6/22

  8. Motivations Design of SPAE Security of the scheme Performances Existing AE schemes � 2 Passes: � AES-GCM[MV04] � AES-CCM [Dwo04] � COLM [ABD + 15] 1 � SIV [RS07] � Not using AES: � NORX [AJN14] � ASCON [DEMS16] � CHACHA20-POLY1305 [Ber08], [Ber05], RFC7539 � Ideal but patented: � OCB[RBB03] ⇒ We need a new AE scheme. 1 Final portofolio members of CAESAR [Ber14] in green Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 6/22

  9. Motivations Design of SPAE Security of the scheme Performances SPAE overview a: number of AD blocks KN : key derived from K and N m: number of message blocks PT 0 , CT 0 : initialization values AT a : tag over AD PT m , CT m : message tag values Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 7/22

  10. Motivations Design of SPAE Security of the scheme Performances SPAE Associated Data processing Ek : block cipher call with key K , for example AES-128. Equations AT 0 = 0 AT i +1 = E K ( AT i ⊕ A i ) A i are blocks of associated data Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 8/22

  11. Motivations Design of SPAE Security of the scheme Performances SPAE Initialization and key derivation PT 0 and CT 0 can be precomputed. Design Rationale We choose those values to be strongly linked with the key since their secrecy is crucial to the security Equations of the scheme. KN = NONCE ⊕ K CT 0 = E K ( K ) PT 0 = K ⊕ CT 0 Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 9/22

  12. Motivations Design of SPAE Security of the scheme Performances SPAE message processing Equations Reminders C i = E KN ( PT i ⊕ P i ) ⊕ CT i KN = K ⊕ NONCE PT i +1 = E KN ( PT i ⊕ P i ) ⊕ P i P i ( C i ) are blocks of plain(cipher)-text. CT i +1 = PT i ⊕ CT i We aim to instantiate AES for E . Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 10/22

  13. Motivations Design of SPAE Security of the scheme Performances SPAE TAG generation for m > 0 Equations MT = HSWAP ( CT m ) ⊕ PT m IT = AT a ⊕ MT TAG = E KN ( IT ⊕ PADINFO ) ⊕ CT m Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 11/22

  14. Motivations Design of SPAE Security of the scheme Performances Security of the scheme Setting of the attacker The attacker is able to ask the encryption of any triple ( N i , A i , M i ) but can ask only once an encryption with a same nonce N . Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 12/22

  15. Motivations Design of SPAE Security of the scheme Performances Security of the scheme Setting of the attacker The attacker is able to ask the encryption of any triple ( N i , A i , M i ) but can ask only once an encryption with a same nonce N . Proposition The attacker is not able to get a pair of values ( X , E KN ( X )) with some constant block X . Idea of the proof : We look at all the relations between the variables and the reuse of outputs. Rationale Design We choose to have two distincts internal variables to protect the knowledge of pairs of values ( X , E KN ( X )). Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 12/22

  16. Motivations Design of SPAE Security of the scheme Performances Differential analysis Proposition The resilience of the scheme to differential attacks is as strong as the one of the encryption function E K (which we aim to be AES ). Idea of the proof : To estimate the security, we upper bound the maximum probability of differential pairs ( δ X , δ Y ) we could get with the differential pair of the encryption function E K . Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 13/22

  17. Motivations Design of SPAE Security of the scheme Performances Differential Fault Analysis The design of the scheme has been made with the aim to minimize the necessity to protect the use of E K . � For encryption and decryption we need only to protect the production of the TAG . Design Rationale � Using a key KN = K ⊕ NONCE dependant of the NONCE is a benefical choice against DFA. � Using HSWAP was motivated by DFA to avoid cancellation of non symmetrical faults in decryption. Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 14/22

  18. Motivations Design of SPAE Security of the scheme Performances Privacy of the scheme Proposition If the the adversary, "respecting the rules", asks q queries ( N , A i , M i ) that entails σ n blockcipher calls of E KN then � 1 . 5 σ n ( σ n − 1) Adv priv . Π 2 blocksize For example with AES blocksize = 128. Idea of the proof : We use a game playing argument measuring the distance to a perfect blockcipher (see lemma 3 of Krovetz and Rogaway [KR11] for details). Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 15/22

  19. Motivations Design of SPAE Security of the scheme Performances Authenticity of the scheme Proposition If the adversary asks q queries that entails σ blockcipher calls then � 1 Adv auth Π Γ with Γ the size of the codomain of the function ( x ) �→ x ⊕ E K ( x ). Idea of the proof We make a strong supposition for the attacker and we conclude by the fact that the attacker does not know any couple of values X , E K ( X ). Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 16/22

  20. Motivations Design of SPAE Security of the scheme Performances Benchmark: ARM-Cortex-M4 � AES implementations: � MMCAU: Flexible cryptographic accelerator, � FAST: Software AES optimized for speed (use 8 Kbytes Tbox LUT), � SMALL: Software AES optimized for size (use 256 bytes Sbox LUT). Table: MbedTLS benchmark 2 on FRDM-K64F board, 1024 bytes messages Algorithm AES implementation Kbytes/s cycles/byte AES-SPAE-128 MMCAU 3101 37.8 AES-SPAE-128 FAST 1141 102.9 AES-SPAE-128 SMALL 546 215.1 AES-GCM-128 FAST 401 293.0 AES-CCM-128 FAST 476 246.8 2 Benchmarking code taken from https://github.com/wolfeidau/mbedtls Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 17/22

  21. Motivations Design of SPAE Security of the scheme Performances Benchmark: ARM-Cortex-M0 STM32L011K4 is a low end device: � no hardware AES, � only 16KB FLASH, 2KB RAM. Table: Benchmark on STM32L011 Nucleo board clock cycles cycles/byte SPAE 18.2K 1140 CCM 42.0K 2627 OCB 43.0K 2689 GCM 65.6K 4100 Scenario: encrypt and authenticate a 16 bytes message CCM,OCB and GCM implementations from CIFRA library 3 3 https://github.com/ctz/cifra Philippe Elbaz-Vincent, Cyril Hugounenq , Sébastien Riou SPAE 18/22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

T w + C Minimize T z fo r some Z spae N 1 n 2 w n =1 K ( x , x ) =

T w + C Minimize T z fo r some Z spae N 1 n 2 w n =1 K ( x , x ) =

Review of Leture 15 Soft-ma rgin SVM Kernel metho ds T w + C Minimize T z fo r some Z spae N 1 n 2 w n =1 K ( x , x ) = z Hi Hi violation Same as ha rd ma rgin, but 0 n C Hi Hi

405 views • 21 slides
How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron

How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron

How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron Velasco 1 , Solymar Ayala Cortez 1 Olga Kosheleva 2 , and Vladik Kreinovich 3 1 Department of Geological Sciences 2 Department of Teacher Education 3

562 views • 23 slides
Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft

Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft

Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft Research Overview . 1 Overview Question : Is it possible to conduct network trace analyses in a way that provides strict formal differential

496 views • 20 slides
Contact-based Fault Injections and Power Analysis on RFID Tags Michael Hutter, Jrn-Marc Schmidt,

Contact-based Fault Injections and Power Analysis on RFID Tags Michael Hutter, Jrn-Marc Schmidt,

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Contact-based Fault Injections and Power Analysis on RFID Tags Michael Hutter, Jrn-Marc Schmidt, Thomas Plos ECCTD 2009 Institute for Applied

514 views • 16 slides
Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University aivanov@math.ut.ee MTAT.07.006

Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University aivanov@math.ut.ee MTAT.07.006

MTAT.07.006 Research Seminar in Cryptography Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University aivanov@math.ut.ee MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 1

382 views • 16 slides
Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System

Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System

Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System Microprocessor used as a component in a device and is designed for a specific control function within a device Used In: Cell Phones

560 views • 31 slides
Design Automation for Cryptography Anupam Chattopadhyay Assistant Professor, School of Computer

Design Automation for Cryptography Anupam Chattopadhyay Assistant Professor, School of Computer

Design Automation for Cryptography Anupam Chattopadhyay Assistant Professor, School of Computer Science and Engineering School of Physical and Mathematical Sciences, Nanyang Technological University June 7, 2017 Motivation Security not a

669 views • 27 slides
On the security of security extensions for IP-based KNX networks Aljosha Judmayer

On the security of security extensions for IP-based KNX networks Aljosha Judmayer

On the security of security extensions for IP-based KNX networks Aljosha Judmayer ajudmayer@sba-research.org ajudmayer@auto.tuwien.ac.at On the security of security extensions for IP-based KNX networks 1 SBA Research P1.1: Risk Management

1.06k views • 51 slides
Intrusion Tolerant IDS James Riordan Marc Dacier Dominique Alessandri Andreas Wespi IBM

Intrusion Tolerant IDS James Riordan Marc Dacier Dominique Alessandri Andreas Wespi IBM

Intrusion Tolerant IDS James Riordan Marc Dacier Dominique Alessandri Andreas Wespi IBM Forschungslaboratorium R uschlikon, Switzerland 19 June 2001 1 MAFTIA A European project whose aim is to develop: Malicious- and Accidental-

366 views • 13 slides
Bug Squashing with SQLsmith andreas.seltenreich@credativ.de October 25, 2018

Bug Squashing with SQLsmith andreas.seltenreich@credativ.de October 25, 2018

Bug Squashing with SQLsmith andreas.seltenreich@credativ.de October 25, 2018 andreas.seltenreich@credativ.de PGConf.EU 2018 1 / 32 Outline Motivation Testing Methodology Analysis of Bugs Uncovered Design Future Work

1.6k views • 37 slides
MSc in Computer Engineering, Cybersecurity and Artificial Intelligence, Fault Diagnosis and

MSc in Computer Engineering, Cybersecurity and Artificial Intelligence, Fault Diagnosis and

MSc in Computer Engineering, Cybersecurity and Artificial Intelligence, Fault Diagnosis and Estimation in Dynamical Systems (FDE), a.a. 2019/2020, Lecture 2 A brief review of analysis of continuous-time linear dynamical systems Prof. Mauro

591 views • 48 slides
Approaching Automation Necessary for introducing a task Prioritize automation steps based

Approaching Automation Necessary for introducing a task Prioritize automation steps based

Learning objectives Understand the main purposes of automating software analysis and testing Identify activities that can be fully or partially Automating Analysis and Test automated Understand cost and benefit trade-offs in

799 views • 12 slides
Can Secure architecture perform? Motivated by Yales talk Machine Learning and Quantum

Can Secure architecture perform? Motivated by Yales talk Machine Learning and Quantum

Can Secure architecture perform? Motivated by Yales talk Machine Learning and Quantum Computing; Is there anything else worth working on? ISCA, 2002 Avi Mendelson Technion, Israel avi.mendelson@technion.ac.il Agenda Intro and motivation

525 views • 18 slides
Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

On A SCON and I SAP About Two Authenticated Encryption Schemes Christoph Dobraunig October 2018 Designed by: . Mendel, M. Schl A SCON : C. Dobraunig, M. Eichlseder, F affer I SAP : C. Dobraunig, M. Eichlseder, S. Mangard, F . Mendel, T.

987 views • 40 slides
Cryptography and Network Security Amongst the tribes of Central Australia every man, woman, and

Cryptography and Network Security Amongst the tribes of Central Australia every man, woman, and

4/19/2010 Chapter 10 Other Public Key Cryptosystems Cryptography and Network Security Amongst the tribes of Central Australia every man, woman, and child has a secret or sacred name which is bestowed by the older Chapter 10 men upon him or her

241 views • 5 slides
Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt

Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt

Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt using the following formula: C i = P i E(K, IV+i) Is this secure? Why or why not? If so, how does this relate to CTR mode? If not, what

935 views • 48 slides
Efficient Algorithms in Software Julio Lpez jlopez@ic.unicamp.br Institute of Computing,

Efficient Algorithms in Software Julio Lpez jlopez@ic.unicamp.br Institute of Computing,

Efficient Algorithms in Software Julio Lpez jlopez@ic.unicamp.br Institute of Computing, University of Campinas September 2017, Habana, Cuba. ASCrypto 2017 Agenda 1 Efficient Software Implementations Software Efficiency Parallel

1.68k views • 124 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Tamarin prover Farzane Karami November 2019 Tamarin A tool for modeling and analysis of

Tamarin prover Farzane Karami November 2019 Tamarin A tool for modeling and analysis of

Tamarin prover Farzane Karami November 2019 Tamarin A tool for modeling and analysis of security protocols Core team: David Basin, Cas Cremers, Jannik Dreier, Simon Meier, Ralf Sasse, Benedikt Schmidt

578 views • 26 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The

377 views • 19 slides
Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security + MACS: Security against active attacks CCA secure private-key encryption Today Public-key encryption and key-agreement RSA (PKE) and

358 views • 14 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and q as well as an element g Z p that generates the subgroup G q . Choose a random x from { 0 , . . . , q 1 } . Compute h = g x .

754 views • 7 slides
KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber,

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber,

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes BS(l)idesVienna 0x7df whoami [ haku@bsidesbox ] % getent passwd whoami | awk F :

684 views • 33 slides

More recommend