the evolution of authenticated encryption
play

The Evolution of Authenticated Encryption Phillip Rogaway - PowerPoint PPT Presentation

Sep 19, 2023 •209 likes •748 views

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

  1. The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC — Directions in Authenticated Ciphers 05 July 2012 Stockholm, Sweden 1/ 52

  2. 1. Introduction Today The recognition of AE as a useful “thing” - Modes that don’t work - 2. Definitions and constructions Defining AE - - Generic composition Historically - RPC, XCBC$, IAPM, OCB ordered Defining nonce-based AEAD - - CCM - GCM - OCB, again Defining MRAE - - SIV 3. Discussion Taxonomy - - Patents - Suggestions Sample research questions - 2/ 52

  3. Authenticated Encryption (AE) Promises two benefits 1. An easier-to-correctly-use abstraction boundary 2. More efficient realizations Begins with two realizations regarding symmetric encryption “Integrity” /“authenticity” is routinely needed 1. “Standard” privacy mechanisms don’t provide it 2. 1. Introduction 3/ 52

  4. Check / insert redundancy No authenticity for any S = f ( P ) CBC 1. Introduction 4/ 52

  5. Add more arrows PCBC See: Yu, Hartman, Raeburn 2004 “ The Perils of Unauthenticated Encryption: Kerberos Version 4” 5/ 52

  6. Still more arrows/operations iaPCBC [Gligor, Donescu 1999] Promptly broken by Jutla (1999) and by Ferguson, Whiting, Kelsey, Wagner (1999) 1. Introduction 6/ 52

  7. Emerging understanding that: Beyond IND-CPA privacy was often desirable - Didn’t come with standard encryption methods - ~2000 Simple ways to try to get it cheaply don’t work - Similar realizations in the public- key world … [Bleichenbacher 1998] – “A chosen ciphertext attack against protocols - based on the RSA encryption standard PKCS #1” - Reaction was that IND-CPA security was not enough CCA1 security (Naor-Yung 1990) - CCA2 security (Rackoff-Simon 1991) - Non-malleability (Dolev-Dwork-Naor 1991) - 1. Introduction 7/ 52

  8. AE Def ined [ Bellare, Rogaway 2000 ] – “Encode -then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography” [ Katz, Yung 2000 ] – “Unforgeable encryption and chosen ciphertext secure modes of operation” coins C C Dec M Enc M or ^ K K • Conventional privacy [BDJR97]: Indistinguishability / semantic security. • Authenticity : The only ciphertexts C that will decrypt to something valid are those previously obtained by an Enc (·) call. 2. Definitions and constructions 8/ 52

  9. [BDJR97] AE Def ined M Enc K ( 0 |  | ) Enc K (  ) C C A Adv ( A ) = Pr[ A Enc K (  )  1 ] - Pr[ A Enc K ( 0 |  | )  1 ] priv P 2. Definitions and constructions 9/ 52

  10. [BR00,KY00;BN00] AE Def ined M Enc K (  ) C A C * Adv ( A ) = Pr[ A Enc K (  )  1 ] - Pr[ A Enc K ( 0 |  | )  1 ] priv P Adv ( A ) = Pr[ A Enc K (  )  C * : no query returned C * and Dec K ( C * )  ^ ] auth P 2. Definitions and constructions 10/ 52

  11. [BN00, KY0] The Strength of AE • Implies IND-CCA2 security • Implies NM-CCA2 security 2. Definitions and constructions 11/ 52

  12. [BN 2000] Generic Composition of an IND-CPA encryption scheme and a PRF M M M Enc K MAC L MAC L Enc K T C Enc K MAC L C C T T Encrypt-and-MAC P MAC-then-Encrypt Encrypt-then-MAC 2. Definitions and constructions 12/ 52

  13. The Cost of Generic Composition M Enc K Cost( AE ) = Cost( Enc ) + Cost( MAC ) MAC L C T Example cases: Enc = CTR, CBC MAC = CMAC, HMAC, PMAC, UMAC  Generic composition can be pretty cheap – if you use a cheap MAC 2. Definitions and constructions 13/ 52

  14. [KY00] RPC Mode M 1 M 2 M 3 M 4 i i+ 1 M 1 M 2 i+ 2 M 3 i+ 3 M 4 i+ 4 i+ 5 start end E K E K E K E K E K E K i C 0 C 1 C 2 C 3 C 4 C 5 2. Definitions and constructions 14/ 52

  15. [Gligor Donescu 2001] XCBC$ Mode Illustration from Gligor-Donescu US Patent 6973182 (2001) 2. Definitions and constructions 15/ 52

  16. [Jutla 2001] IAPM Mode Illustration from [Jutla 2001] 2. Definitions and constructions 16/ 52

  17. OCB Mode (later “OCB1”) [R, Bellare, Black, Krovetz 2001] Like IAPM but highly optimized. Motivated by NIST’s modes call. Z [ i ] = R  g i  L • Arbitrary-length messages Checksum = M [1]    M [ m -1]  C [ m ] 0 *  Y [ m ] • Efficient offset calculations m + 2 blockcipher calls, m =  | M |/ n  • • Single blockcipher key • Cheap key setup (one blockcipher call) 2. Definitions and constructions 17/ 52

  18. Two important players: NIST and IEEE 802.11i • WiFi standard ratified in 1999 Uses WEP security • Fatal attacks soon emerge: - [Fluhrer, Mantin, Shamir 2001] Weaknesses in the key scheduling algorithm of RC4 - [Stubblefield, Ioannidis, Rubin 2001] Using the Fluhrer, Mantin, Shamir attack to break WEP - [Borisov, Goldberg, Wagner 2001] Intercepting mobile communications: the insecurity of 802.11 - [Cam-Winget , Housley, Wagner, Walker 2003] Security flaws in 802.11 data links protocols • WEP  TKIP  WPA  WPA2 - Draft solutions based on OCB - Politics and patent-avoidance: [Whiting, Housley, Ferguson 2002] develop CCM (=CCMP) - CCM standardized for 802.11, then NIST 2. Definitions and constructions 18/ 52

  19. Before describing CCM … Back to the def initional story N N coins C C Dec M Enc M AD or ^ AD K K • Random values routinely aren’t • Many application have an available nonce • Weaker user requirement; less misuse 1) Move the coins “out” and make a “nonce” sufficient [RBBK01] 2) Add in “associated data” [R02] • Requirement from Cam-Winget, Kaliski, Walker • AD is authenticated but not encrypted Failure to provide same AD on decryption results in ^ • 2. Definitions and constructions 19/ 52

  20. (1) Ask for indistinguishability from random bits [RBBK00] Also: AEAD (2) All-in-one definition [R, Shrimpton 2006] N, AD, M Enc K (  ,  ,  ) $ (  ,  ,  ) C C A M ^ ^ (  ,  ,  ) Dec K (  ,  ,  ) N, AD, C Adv ( A ) = Pr[ A EncK DecK  1 ] - Pr[ A $ ^  1 ] aead P A may not: repeat an N -value in an enc query; or ask a dec query ( N, AD, C ) after C is returned by an ( N , AD ,  ) enc query 2. Definitions and constructions 20/ 52

  21. [Whiting, Housley, Ferguson 2002] NIST SP 800-38C CCM Mode RFC 3610, 4309, 5084 Roughly MAC-then-Encrypt 2. Definitions and constructions 21/ 52

  22. Functions F ORMAT and C OUNT where 2. Definitions and constructions 22/ 52

  23. See: [ R 2011 ], “Evaluation of Some [Whiting, Housley, Ferguson 2002] Blockcipher Modes of Operation” (Ch. 11); NIST SP 800-38C:2004 CCM Mode following [R, Wagner 2003] , “A Critique of CCM” RFC 3610, 4309, 5084, 5116 • Provably secure, with OK bounds, if AE if E is a good PRP [Jonsson 2002] • Widely used, standardized (eg, in 802.11) • Simple to implement • Only forward direction of blockcipher used • About 2 m +2 blockcipher calls • Half non-parallelizable • Word alignment disrupted • Can’t preprocess static AD • Not “online” — need to know m in advance • Complex Bit twiddling formatting Absent abstraction boundary • User must specify q  {2,3,4,5,6,7,8} – byte length of byte length of longest message which determines nonce length(!) of t =15 - q 2. Definitions and constructions 23/ 52

  24. [Bellare, R, Wagner 2004] ANSI C12.22, ISO 19772 The issues with CCM aren’t hard to f ix • Generic composition of CTR and CMAC is a good alternative • EAX is a CCM- like mode intended to fix CCM’s problems N M A 1 0 CMAC K CMAC K CTR K  C T 2 CMAC K EAX 2. Definitions and constructions 24/ 52

  25. See: [ R 2011 ], “Evaluation of Some [McGrew, Viega 2004] Blockcipher Modes of Operation”, Ch. 12 (Follows CWC [Kohno, Viega, Whiting 2004] ) NIST SP 800-38D:2007 RFC 4106, 5084, 5116, 5288, 5647 ISO 19772:2009 GCM Mode with 96-bit nonce N 2. Definitions and constructions 25/ 52

  26. GCM Mode [McGrew, Viega 2004] Follows CWC [Kohno, Viega, Whiting 2004] NIST SP 800-38D • Provably secure, with OK bounds for long tags IPsec, TLS, MACsec, P1619.1, TLS • Parallelizable, online ISO 19772:2009 • About m +1 blockcipher calls, all of them parallelizable • Very efficient in HW • Reasonably efficient in SW with AES-NI, PCMULDQ, preprocessing & tables • Static AD can be preprocessed • Only forward direction of blockcipher used First forgery after 2 t / 2 queries • • After, additional forgeries come quickly • Poor bound if truncate tag too much [Ferguson, 2005] (don’t truncate <96 bits) • Not that efficient in SW, even with PCMULDQ support • Timing attacks an issue for table-based realizations (slow setup, too) • Maximum of 2 36 -32 bytes • “Reflected - bit” convention for representing field points unfortunate • | N |  96 case not handled well • Published proof is buggy [Iwata, 2012] 2. Definitions and constructions 26/ 52

  27. OCB3 [RBBK01, R04, KR10] OCB Mode in terms of a tweakable blockcipher [LRW02] = M 1  M 2  M 3  M 4 2. Definitions and constructions 27/ 52

  28. [RBBK01, R04, KR10] OCB Mode in terms of a tweakable blockcipher [LRW02] = M 1  M 2  M 3  M 4 10 * 2. Definitions and constructions 28/ 52

  29. [RBBK01, R04, KR10] OCB Mode in terms of a tweakable blockcipher [LRW02] 2. Definitions and constructions 29/ 52

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated

Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated

Desiderata Current AEAD use Evolution Conclusions Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated Ciphers, 2012 Desiderata Current AEAD use Evolution Conclusions Many desirable attributes

284 views • 26 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago &amp; m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
LAW, LAND RIGHTS, AND REVENUE Prof. Susan Whiting Political Science University of Washington 2

LAW, LAND RIGHTS, AND REVENUE Prof. Susan Whiting Political Science University of Washington 2

1 LAW, LAND RIGHTS, AND REVENUE Prof. Susan Whiting Political Science University of Washington 2 Law, Land Rights, and Revenue 1. Generation and extraction of revenue from land 2. Role of law and legal institutions Documents Case

654 views • 31 slides
The dynamical sky Two frontiers Joel Johansson, Uppsala university Time Wavelength Optical

The dynamical sky Two frontiers Joel Johansson, Uppsala university Time Wavelength Optical

The dynamical sky Two frontiers Joel Johansson, Uppsala university Time Wavelength Optical surveys faster! HSC, 1.7 deg 2 PS1, 7 deg 2 DES, 2.5 deg 2 PTF/iPTF, 7.3 deg 2 ZTF, 47 deg 2 LSST, 9.6 deg 2 1 deg Optical phase-space

674 views • 18 slides
Anima Caf Online Challenging anti-Black Racism in Organizations With Mahlon Evans-Sinclair

Anima Caf Online Challenging anti-Black Racism in Organizations With Mahlon Evans-Sinclair

2020-06-10 Anima Caf Online Challenging anti-Black Racism in Organizations With Mahlon Evans-Sinclair &amp; Parker Johnson 1 On-line Etiquette You have been muted on entry to limit feedback Raise your hand if you want to

181 views • 4 slides
Now on the first day of the week Mary Magdalene came to the tomb early, while it was still dark,

Now on the first day of the week Mary Magdalene came to the tomb early, while it was still dark,

Now on the first day of the week Mary Magdalene came to the tomb early, while it was still dark, and saw that the stone had been taken away from the tomb. John 20:1 But Mary stood weeping outside the tomb, and as she wept she stooped to look

467 views • 23 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
This Talk. Sources of Topics ACP Journal Club Advances in Primary Care: Residency

This Talk. Sources of Topics ACP Journal Club Advances in Primary Care: Residency

8/8/2018 This Talk. Sources of Topics ACP Journal Club Advances in Primary Care: Residency Journal Clubs Recent Important Papers Faculty Suggestion Douglas C. Bauer, MD Guiding Principles Departments of Medicine and

249 views • 13 slides
How fast are hash functions? D. J. Bernstein University of Illinois at Chicago NSF ITR0716498

How fast are hash functions? D. J. Bernstein University of Illinois at Chicago NSF ITR0716498

How fast are hash functions? D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 in cooperation with IST2002507932 ECRYPT Depends on the volume of data being hashed. For small data volumes can often see big costs for

1.14k views • 66 slides
Welcome! Check your audio connection to be sure your speakers are on and the volume is up.

Welcome! Check your audio connection to be sure your speakers are on and the volume is up.

Welcome! Check your audio connection to be sure your speakers are on and the volume is up. Archive recording, presentation slides, resources, and CEU form are available at: www.schoolnutrition.org/webinars @SchoolLunch

588 views • 23 slides

More recommend