Block Cipher and Authenticated Encryption with Highly Efficient
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
The Design of Rijndael: AES - the Advanced Encryption Standard/Joan Daemen, Vincent Rijmen
Joan Daernen · Vincent Rijrnen Theof Design Rijndael AES - The Advanced Encryption Standard With 48 Figures and 17 Tables Springer Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Springer TnL-1Jn Joan Daemen Foreword Proton World International (PWI) Zweefvliegtuigstraat 10 1130 Brussels, Belgium Vincent Rijmen Cryptomathic NV Lei Sa 3000 Leuven, Belgium Rijndael was the surprise winner of the contest for the new Advanced En cryption Standard (AES) for the United States. This contest was organized and run by the National Institute for Standards and Technology (NIST) be ginning in January 1997; Rij ndael was announced as the winner in October 2000. It was the "surprise winner" because many observers (and even some participants) expressed scepticism that the U.S. government would adopt as Library of Congress Cataloging-in-Publication Data an encryption standard any algorithm that was not designed by U.S. citizens. Daemen, Joan, 1965- Yet NIST ran an open, international, selection process that should serve The design of Rijndael: AES - The Advanced Encryption Standard/Joan Daemen, Vincent Rijmen. as model for other standards organizations. For example, NIST held their p.cm. Includes bibliographical references and index. 1999 AES meeting in Rome, Italy. The five finalist algorithms were designed ISBN 3540425802 (alk. paper) . .. by teams from all over the world. 1. Computer security - Passwords. 2. Data encryption (Computer sCIence) I. RIJmen, In the end, the elegance, efficiency, security, and principled design of Vincent, 1970- II. Title Rijndael won the day for its two Belgian designers, Joan Daemen and Vincent QA76.9.A25 D32 2001 Rijmen, over the competing finalist designs from RSA, IBl\!I, Counterpane 2001049851 005.8-dc21 Systems, and an English/Israeli/Danish team. -
Analysis of Selected Block Cipher Modes for Authenticated Encryption
Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3]. -
Patent-Free Authenticated-Encryption As Fast As OCB
Patent-Free Authenticated-Encryption As Fast As OCB Ted Krovetz Computer Science Department California State University Sacramento, California, 95819 USA [email protected] Abstract—This paper presents an efficient authenticated encryp- VHASH hash family [4]. The resulting authenticated encryp- tion construction based on a universal hash function and block tion scheme peaks at 12.8 cpb, while OCB peaks at 13.9 cpb in cipher. Encryption is achieved via counter-mode while authenti- our experiments. The paper closes with a performance com- cation uses the Wegman-Carter paradigm. A single block-cipher parison of several well-known authenticated encryption algo- key is used for both operations. The construction is instantiated rithms [6]. using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten per- cent slower than encryption alone. II. SECURITY DEFINITIONS We adopt the notions of security from [7], and summarize Keywords- Authenticated encryption, block-cipher mode-of- them less formally here. An authenticated encryption with as- operation, AEAD, UMAC, VMAC. sociated data (AEAD) scheme is a triple S = (K,E,D), where K is a set of keys, and E and D are encryption and decryption I. INTRODUCTION functions. Encryption occurs by computing E(k,n,h,p,f), which Traditionally when one wanted to both encrypt and authen- returns (c,t), for key k, nonce n, header h, plaintext m and ticate communications, one would encrypt the message under footer f. Ciphertext c is the encryption of p, and tag t authenti- one key and authenticate the resulting ciphertext under a sepa- cates h, c and f. -
Modes of Operation for Compressed Sensing Based Encryption
Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc -
Secret-Key Encryption Introduction
Secret-Key Encryption Introduction • Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message • History of encryption dates back to 1900 BC • Two types of encryption • secret-key encryption : same key for encryption and decryption • pubic-key encryption : different keys for encryption and decryption • We focus on secret-key encryption in this chapter Substitution Cipher • Encryption is done by replacing units of plaintext with ciphertext, according to a fixed system. • Units may be single letters, pairs of letters, triplets of letters, mixtures of the above, and so forth • Decryption simply performs the inverse substitution. • Two typical substitution ciphers: • monoalphabetic - fixed substitution over the entire message • Polyalphabetic - a number of substitutions at different positions in the message Monoalphabetic Substitution Cipher • Encryption and decryption Breaking Monoalphabetic Substitution Cipher • Frequency analysis is the study of the frequency of letters or groups of letters in a ciphertext. • Common letters : T, A, E, I, O • Common 2-letter combinations (bigrams): TH, HE, IN, ER • Common 3-letter combinations (trigrams): THE, AND, and ING Breaking Monoalphabetic Substitution Cipher • Letter Frequency Analysis results: Breaking Monoalphabetic Substitution Cipher • Bigram Frequency Analysis results: Breaking Monoalphabetic Substitution Cipher • Trigram Frequency analysis results: Breaking Monoalphabetic Substitution Cipher • Applying the partial mappings… Data Encryption Standard (DES) • DES is a block cipher - can only encrypt a block of data • Block size for DES is 64 bits • DES uses 56-bit keys although a 64-bit key is fed into the algorithm • Theoretical attacks were identified. None was practical enough to cause major concerns. -
Encryption Block Cipher
10/29/2007 Encryption Encryption Block Cipher Dr.Talal Alkharobi 2 Block Cipher A symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher take n-bit block of plaintext as input, and output a corresponding n-bit block of ciphertext. The exact transformation is controlled using a secret key. Decryption is similar: the decryption algorithm takes n-bit block of ciphertext together with the secret key, and yields the original n-bit block of plaintext. Mode of operation is used to encrypt messages longer than the block size. 1 Dr.Talal Alkharobi 10/29/2007 Encryption 3 Encryption 4 Decryption 2 Dr.Talal Alkharobi 10/29/2007 Encryption 5 Block Cipher Consists of two algorithms, encryption, E, and decryption, D. Both require two inputs: n-bits block of data and key of size k bits, The output is an n-bit block. Decryption is the inverse function of encryption: D(E(B,K),K) = B For each key K, E is a permutation over the set of input blocks. n Each key K selects one permutation from the possible set of 2 !. 6 Block Cipher The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. 64 bits was the most common length until the mid-1990s, when new designs began to switch to 128-bit. Padding scheme is used to allow plaintexts of arbitrary lengths to be encrypted. Typical key sizes (k) include 40, 56, 64, 80, 128, 192 and 256 bits. -
The Evolution of Authenticated Encryption
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Those who’ve worked with me on AE: Mihir Bellare Workshop on Real-World Cryptography John Black Thursday, 10 January 2013 Ted Krovetz Stanford, California, USA Chanathip Namprempre Tom Shrimpton David Wagner 1/40 Traditional View (~2000) Of Symmetric Goals K K Sender Receiver Privacy Authenticity (confidentiality) (data-origin authentication) Encryption Authenticated Encryption Message scheme Achieve both of these aims Authentication Code (MAC) IND-CPA [Goldwasser, Micali 1982] Existential-unforgeability under ACMA [Bellare, Desai, Jokipii, R 1997] [Goldwasser, Micali, Rivest 1984, 1988], [Bellare, Kilian, R 1994], [Bellare, Guerin, R 1995] 2/40 Needham-Schroeder Protocol (1978) Attacked by Denning-Saco (1981) Practioners never saw a b IND-CPA as S encryption’s goal A . B . NA {N . B . s . {s . A} } 1 A b a 2 a b {s . A} A 3 b B 4 {NB}s 5 {NB -1 }s 3/40 Add redundancy No authenticity for any S = f (P) CBC ~ 1980 Doesn’t work Beyond CBC MAC: regardless of how you compute unkeyed checksums don’t work even the (unkeyed) checksum S = R(P1, …, Pn) with IND-CCA or NM-CPA schemes (Wagner) [An, Bellare 2001] 4/40 Add more arrows PCBC 1982 Doesn’t work See [Yu, Hartman, Raeburn 2004] The Perils of Unauthenticated Encryption: Kerberos Version 4 for real-world attacks 5/40 Add yet more stuff iaPCBC [Gligor, Donescu 1999] Doesn’t work Promptly broken by Jutla (1999) & Ferguson, Whiting, Kelsey, Wagner (1999) 6/40 Emerging understanding that: - We’d like -
Optimizing Authenticated Encryption Algorithms
Masaryk University Faculty of Informatics Optimizing authenticated encryption algorithms Master’s Thesis Ondrej Mosnáček Brno, Fall 2017 Masaryk University Faculty of Informatics Optimizing authenticated encryption algorithms Master’s Thesis Ondrej Mosnáček Brno, Fall 2017 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáček Advisor: Ing. Milan Brož i Acknowledgement I would like to thank my advisor, Milan Brož, for his guidance, pa- tience, and helpful feedback and advice. Also, I would like to thank my girlfriend Ludmila, my family, and my friends for their support and kind words of encouragement. If I had more time, I would have written a shorter letter. — Blaise Pascal iii Abstract In this thesis, we look at authenticated encryption with associated data (AEAD), which is a cryptographic scheme that provides both confidentiality and integrity of messages within a single operation. We look at various existing and proposed AEAD algorithms and compare them both in terms of security and performance. We take a closer look at three selected candidate families of algorithms from the CAESAR competition. Then we discuss common facilities provided by the two most com- mon CPU architectures – x86 and ARM – that can be used to implement cryptographic algorithms efficiently. -
On the Security of CTR + CBC-MAC NIST Modes of Operation – Additional CCM Documentation
On the Security of CTR + CBC-MAC NIST Modes of Operation { Additional CCM Documentation Jakob Jonsson? jakob [email protected] Abstract. We analyze the security of the CTR + CBC-MAC (CCM) encryption mode. This mode, proposed by Doug Whiting, Russ Housley, and Niels Ferguson, combines the CTR (“counter”) encryption mode with CBC-MAC message authentication and is based on a block cipher such as AES. We present concrete lower bounds for the security of CCM in terms of the security of the underlying block cipher. The conclusion is that CCM provides a level of privacy and authenticity that is in line with other proposed modes such as OCB. Keywords: AES, authenticated encryption, modes of operation. Note: A slightly different version of this paper will appear in the Proceedings from Selected Areas of Cryptography (SAC) 2002. 1 Introduction Background. Block ciphers are popular building blocks in cryptographic algo rithms intended to provide information services such as privacy and authenticity. Such block-cipher based algorithms are referred to as modes of operation. Exam ples of encryption modes of operation are Cipher Block Chaining Mode (CBC) [23], Electronic Codebook Mode (ECB) [23], and Counter Mode (CTR) [9]. Since each of these modes provides privacy only and not authenticity, most applica tions require that the mode be combined with an authentication mechanism, typically a MAC algorithm [21] based on a hash function such as SHA-1 [24]. For example, a popular cipher suite in SSL/TLS [8] combines CBC mode based on Triple-DES [22] with the MAC algorithm HMAC [26] based on SHA-1. -
Keccak Sponge Function Family Main Document
Keccak sponge function family main document Guido Bertoni1 Joan Daemen1 Micha¨el Peeters2 Gilles Van Assche1 http://keccak.noekeon.org/ Version 1.0 1STMicroelectronics October 27, 2008 2NXP Semiconductors Keccak 2 / 78 Contents 1 Introduction 7 1.1 NIST requirements . .7 1.2 Acknowledgments . .8 2 Design rationale summary 9 2.1 Choosing the sponge construction . .9 2.2 Choosing an iterated permutation . 10 2.3 Designing the Keccak-f permutations . 10 2.4 Choosing the parameter values . 11 3 The sponge construction 13 3.1 Security of the sponge construction . 13 3.1.1 Indifferentiability from a random oracle . 13 3.1.2 Indifferentiability of multiple sponge functions . 14 3.1.3 Immunity to generic attacks . 15 3.1.4 Randomized hashing . 15 3.1.5 Keyed modes . 16 3.2 Rationale for the padding . 16 3.2.1 Sponge input preparation . 16 3.2.2 Multi-capacity property . 17 3.2.3 Digest-length dependent digest . 17 3.3 Parameter choices . 17 3.3.1 Capacity . 17 3.3.2 Width . 18 3.3.3 The default sponge function Keccak[] . 18 3.4 The four critical operations of a sponge . 18 3.4.1 Definitions . 19 3.4.2 The operations . 19 4 Sponge functions with an iterated permutation 21 4.1 The philosophy . 21 4.1.1 There should be no better attacks than generic attacks . 21 4.1.2 The impossibility of implementing a random oracle . 21 4.1.3 The choice between a permutation and a transformation . 22 4.1.4 The choice of an iterated permutation . -
Innovations in Symmetric Cryptography
Innovations in symmetric cryptography Joan Daemen STMicroelectronics, Belgium SSTIC, Rennes, June 5, 2013 1 / 46 Outline 1 The origins 2 Early work 3 Rijndael 4 The sponge construction and Keccak 5 Conclusions 2 / 46 The origins Outline 1 The origins 2 Early work 3 Rijndael 4 The sponge construction and Keccak 5 Conclusions 3 / 46 The origins Symmetric crypto around ’89 Stream ciphers: LFSR-based schemes no actual design many mathematical papers on linear complexity Block ciphers: DES design criteria not published DC [Biham-Shamir 1990]: “DES designers knew what they were doing” LC [Matsui 1992]: “well, kind of” Popular paradigms, back then (but even now) property-preservation: strong cipher requires strong S-boxes confusion (nonlinearity): distance to linear functions diffusion: (strict) avalanche criterion you have to trade them off 4 / 46 The origins The banality of DES Data encryption standard: datapath 5 / 46 The origins The banality of DES Data encryption standard: F-function 6 / 46 The origins Cellular automata based crypto A different angle: cellular automata Simple local evolution rule, complex global behaviour Popular 3-bit neighborhood rule: 0 ⊕ ai = ai−1 (ai OR ai+1) 7 / 46 The origins Cellular automata based crypto Crypto based on cellular automata CA guru Stephen Wolfram at Crypto ’85: looking for applications of CA concrete stream cipher proposal Crypto guru Ivan Damgård at Crypto ’89 hash function from compression function proof of collision-resistance preservation compression function with CA Both broken stream cipher in -
Changing of the Guards
Changing of the Guards . Joan Daemen CHES 2017 Taipei, September 26, 2017 Radboud University STMicroelectronics 1 / 18 Disclaimer . This is not a talk about higher-order countermeasures 2 / 18 Iterative cryptographic permutation . 3 / 18 Three-stage round function: wide trail . 4 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 X[i] ^= (~X[i+1]) & X[i+2] xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c . 5 / 18 xi xi + (xi+1 + 1)xi+2 Invertible for odd length n Used in Ketje, Keyak, Keccak (n = 5) RadioGatun (n = 19), Panama (n = 17), BaseKing, 3-Way (n = 3), Subterranean, Cellhash (n = 257) [Daemen, Govaerts, Vandewalle, WIC Benelux 1991] Nonlinear layer c .