DOCSLIB.ORG

Analysis of Selected Block Cipher Modes for Authenticated Encryption

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysis of Selected Block Cipher Modes for Authenticated Encryption Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3]. However, some potential attacks have been proposed against certain AE schemes [4]; in particular the interaction between confidentiality and integrity assurance components in an AE scheme may cause problems unless special care is taken [5]. Therefore, at the beginning of 2013, the Competition for Authenticated En- cryption: Security, Applicability, and Robustness (CAESAR), was launched to invite proposals for AE schemes that are more powerful and practical in terms of security and speed than GCM [6]. The overall aim of this research is to analyse the security of some block cipher modes of operation submitted to CAESAR. The analysis is performed through considering the structure of the block cipher mode used in AE schemes. This may reveal vulnerabilities in the integrity assurance that can be exploited in forgery attacks. Further, we propose fault attacks against certain CAESAR iii block cipher modes. Finally, an AE block cipher mode is proposed that assures resilience against side channel leakage, and provides misuse resistance and online computation at both sender and receiver sides. This thesis analyses four block cipher modes: ++AE, OTR, XEX/XE and AEZ, and has five contributions. The first work identifies serious flaws in the integrity assurance mechanism of ++AE [7]. Most significantly, it does not verify the most significant bit of any message block. Other flaws are also identified which allow forgeries (including addition, deletion and swapping of certain blocks) in a chosen plaintext mes- sage. This work therefore concludes that ++AE is insecure as an authenticated encryption mode of operation. The second contribution is the investigation of the generic OTR mode [8,9]. The current masking coefficients are specific to the finite field used to update masks. This work shows that certain choices of primitive polynomials result in mask collisions that can be exploited in forgery attacks. Alternatively, generic masking coefficients are proposed that can be used with any block size and any primitive polynomial, without affecting the security provided by this scheme. Thirdly, we apply fault attacks to XEX/XE modes [10] to either eliminate the effect of secret masks or retrieve their values. Either of these cases enables existing fault attack techniques to recover the secret key. Different fault attack methods were demonstrated in this work by using permanent, transient, and biased fault injections. This work also shows that the AE modes: COPA, ELmD, SHELL, OCB2 and OTR are susceptible to our fault attack techniques. The fourth contribution describes a fault analysis on AEZ [11] focusing mainly on AEZ v4.2 and the most updated version AEZ v5. This work shows that all three 128-bit keys in AEZ v4.2 can be uniquely retrieved using only three fault injections. In addition, a similar approach using four fault injections can uniquely recover all keys of AEZ v5. Two approaches are suggested to prevent attackers from exploiting the structure of AEZ in order to minimise the number of faults. The final contribution studies the leakage of existing AE block cipher modes that can be exploited in side channel attacks. Certain AE proposals provide leakage resilience and misuse resistance on the sender side only (and not the receiver side), while others provide leakage resilience and misuse resistance on both sides, but cannot perform online computation. This work proposes an AE block cipher mode that is online, leakage-resilient and misuse resistant at both the sender and receiver ends. iv Contents Keywords .................................. i Abstract................................... iii Table of Contents.............................. v List of Figures................................ xi List of Tables................................xiii Notation................................... xv Declaration .................................xix Previously Published Material.......................xxi Acknowledgements . .xxiii Chapter 1 Introduction1 1.1 Background and motivation ..................... 1 1.2 Research aims and objectives .................... 4 1.3 Research contributions........................ 5 1.4 Organisation of thesis......................... 8 Chapter 2 Background and literature review 11 2.1 Confidentiality provided by block ciphers.............. 11 2.1.1 Block ciphers ......................... 12 2.1.2 Modes of operation...................... 15 2.2 Integrity assurance provided by block ciphers............ 25 2.2.1 Message authentication codes ................ 26 2.2.2 Properties of message authentication codes......... 26 2.2.3 Construction of message authentication codes . 27 2.3 Authenticated encryption ...................... 29 2.3.1 Classification of AE schemes................. 30 2.3.2 Generic composition ..................... 32 2.3.3 Dedicated AE schemes.................... 34 2.3.4 Comparison between dedicated AE modes ......... 38 v 2.3.5 CAESAR competition .................... 38 2.3.6 Selected block cipher-based AE modes ........... 41 2.4 Cryptanalytic attacks......................... 42 2.4.1 Attack goals.......................... 42 2.4.2 Attack models......................... 43 2.4.3 Confidentiality attacks.................... 44 2.4.4 Integrity assurance attacks.................. 46 2.4.5 Implementation attacks.................... 47 2.5 Summary ............................... 52 Chapter 3 Analysis of ++AE authenticated encryption mode 55 3.1 Description of ++AE......................... 57 3.2 Fundamental flaw in ++AE..................... 58 3.3 Other integrity assurance flaws in ++AE.............. 62 3.3.1 Repeating internal vectors Ii 1 and Qi 1 . 62 − − 3.3.2 Groups of blocks that result in the same MDC value . 66 3.4 Forgery attacks on ++AE...................... 71 3.4.1 Forgery attack using two groups............... 72 3.4.2 Forgery attack using a single group............. 75 3.5 Experimental verification....................... 76 3.5.1 Verification of insertion and deletion attack . 77 3.5.2 Verification of swapping attack using two groups . 78 3.5.3 Verification of swapping attack using a single group . 78 3.6 General remarks about ++AE design................ 80 3.7 Conclusion............................... 81 Chapter 4 Tweaking generic OTR mode to avoid forgery attacks 83 4.1 Tweakable block ciphers ....................... 84 4.2 OTR description ........................... 86 4.2.1 Generic OTR mode...................... 86 4.2.2 AES-OTR mode ....................... 90 4.3 Existing analysis of OTR....................... 91 4.4 New analysis of OTR......................... 94 4.4.1 Proposed attacks....................... 95 4.5 Proposed solution........................... 98 4.5.1 Proposed instantiation of encryption/decryption core . 99 vi 4.5.2 Proposed instantiation of authentication core . 99 4.6 Alternative solution..........................101 4.7 Security bounds for OTR using the new masking coefficients . 102 4.8 Conclusion...............................104 Chapter 5 Analysis of XEX mode using fault attacks 107 5.1 Preliminaries .............................109 5.1.1 AES description........................109 5.1.2 The design of XEX mode...................110 5.1.3 Fuhr et al.’s fault attack on AES . 112 5.2 Existing fault attacks on XEX....................114 5.3 Eliminating the masks in XEX mode . 115 5.3.1 Stuck-at-zero fault attack ..................116 5.3.2 Skipping an instruction fault attack . 117 5.3.3 Security implication for mask elimination . 117 5.4 A Ciphertext only attack to reveal secret mask L . 118 5.4.1 Fault model A at round 9 ..................121 5.4.2 Fault model A at round 8 ..................121 5.4.3 Fault model B
Load more

Recommended publications
  • Security Evaluation of Stream Cipher Enocoro-128V2
    Security Evaluation of Stream Cipher Enocoro-128v2 Hell, Martin; Johansson, Thomas 2010 Link to publication Citation for published version (APA): Hell, M., & Johansson, T. (2010). Security Evaluation of Stream Cipher Enocoro-128v2. CRYPTREC Technical Report. Total number of authors: 2 General rights Unless other specific re-use rights are stated the following general rights apply: Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal Read more about Creative commons licenses: https://creativecommons.org/licenses/ Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. LUND UNIVERSITY PO Box 117 221 00 Lund +46 46-222 00 00 Security Evaluation of Stream Cipher Enocoro-128v2 Martin Hell and Thomas Johansson Abstract. This report presents a security evaluation of the Enocoro- 128v2 stream cipher. Enocoro-128v2 was proposed in 2010 and is a mem- ber of the Enocoro family of stream ciphers. This evaluation examines several different attacks applied to the Enocoro-128v2 design. No attack better than exhaustive key search has been found.
    [Show full text]
  • Fair and Efficient Hardware Benchmarking of Candidates In
    Fair and Efficient Hardware Benchmarking of Candidates in Cryptographic Contests Kris Gaj CERG George Mason University Partially supported by NSF under grant no. 1314540 Designs & results for this talk contributed by “Ice” Homsirikamol Farnoud Farahmand Ahmed Ferozpuri Will Diehl Marcin Rogawski Panasayya Yalla Cryptographic Standard Contests IX.1997 X.2000 AES 15 block ciphers → 1 winner NESSIE I.2000 XII.2002 CRYPTREC XI.2004 IV.2008 34 stream 4 HW winners eSTREAM ciphers → + 4 SW winners X.2007 X.2012 51 hash functions → 1 winner SHA-3 I.2013 TBD 57 authenticated ciphers → multiple winners CAESAR 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 time Evaluation Criteria in Cryptographic Contests Security Software Efficiency Hardware Efficiency µProcessors µControllers FPGAs ASICs Flexibility Simplicity Licensing 4 AES Contest 1997-2000 Final Round Speed in FPGAs Votes at the AES 3 conference GMU results Hardware results matter! 5 Throughput vs. Area Normalized to Results for SHA-256 and Averaged over 11 FPGA Families – 256-bit variants Overall Normalized Throughput Early Leader Overall Normalized Area 6 SHA-3 finalists in high-performance FPGA families 0.25 0.35 0.50 0.79 1.00 1.41 2.00 2.83 4.00 7 FPGA Evaluations – From AES to SHA-3 AES eSTREAM SHA-3 Design Primary optimization Throughput Area Throughput/ target Throughput/ Area Area Multiple architectures No Yes Yes Embedded resources No No Yes Benchmarking Multiple FPGA families No No Yes Specialized tools No No Yes Experimental results No No Yes Reproducibility Availability
    [Show full text]
  • Authenticated Encryption for Memory Constrained Devices
    Authenticated Encryption for Memory Constrained Devices By Megha Agrawal A thesis submitted in partial fulfillment for the degree of Doctor of Philosophy in Computer Science & Engineering to the Indraprastha Institute of Information Technology, Delhi (IIIT-Delhi) Supervisors: Dr. Donghoon Chang (IIIT Delhi) Dr. Somitra Sanadhya (IIT Jodhpur) September 2020 Certificate This is to certify that the thesis titled - \Authenticated Encryption for Memory Constrained Devices" being submitted by Megha Agrawal to Indraprastha Institute of Information Technology, Delhi, for the award of the degree of Doctor of Philosophy, is an original research work carried out by her under our supervision. In our opinion, the thesis has reached the standards fulfilling the requirements of the regulations relating to the degree. The results contained in this thesis have not been submitted in part or full to any other university or institute for the award of any degree/diploma. Dr. Donghoon Chang September, 2020 Department of Computer Science Indraprastha Institute of Information Technology, Delhi New Delhi, 110020 ii To my family Acknowledgments Firstly, I would like to express my sincere gratitude to my advisor Dr. Donghoon Chang for the continuous support of my Ph.D study and related research, for his patience, motivation, and immense knowledge. His guidance helped me in all the time of research and writing of this thesis. I could not have imagined having a better advisor and mentor for my Ph.D study. I also express my sincere gratitude to my esteemed co-advisor, Dr. Somitra Sanadhya, who has helped me immensely throughout my Ph.D. life. I thank my fellow labmates for the stimulating discussions, and for all the fun we have had in during these years.
    [Show full text]
  • The EAX Mode of Operation
    A preliminary version of this papers appears in Fast Software Encryption ’04, Lecture Notes in Computer Science, vol. ?? , R. Bimal and W. Meier ed., Springer-Verlag, 2004. This is the full version. The EAX Mode of Operation (A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and Efficiency) ∗ † ‡ M. BELLARE P. ROGAWAY D. WAGNER January 18, 2004 Abstract We propose a block-cipher mode of operation, EAX, for solving the problem of authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, our mode protects the privacy of M and the authenticity of both M and H. Strings N, M, and H are arbitrary bit strings, and the mode uses 2|M|/n + |H|/n + |N|/n block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX’s characteristics are that it is on-line (the length of a message isn’t needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by first creating a generic-composition method, EAX2, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. The proof of this fact is novel and involved. EAX is an alternative to CCM [26], which was created to answer the wish within standards bodies for a fully-specified and patent-free AEAD mode. As such, CCM and EAX are two-pass schemes, with one pass for achieving privacy and one for authenticity.
    [Show full text]
  • Security Evaluation of the K2 Stream Cipher
    Security Evaluation of the K2 Stream Cipher Editors: Andrey Bogdanov, Bart Preneel, and Vincent Rijmen Contributors: Andrey Bodganov, Nicky Mouha, Gautham Sekar, Elmar Tischhauser, Deniz Toz, Kerem Varıcı, Vesselin Velichkov, and Meiqin Wang Katholieke Universiteit Leuven Department of Electrical Engineering ESAT/SCD-COSIC Interdisciplinary Institute for BroadBand Technology (IBBT) Kasteelpark Arenberg 10, bus 2446 B-3001 Leuven-Heverlee, Belgium Version 1.1 | 7 March 2011 i Security Evaluation of K2 7 March 2011 Contents 1 Executive Summary 1 2 Linear Attacks 3 2.1 Overview . 3 2.2 Linear Relations for FSR-A and FSR-B . 3 2.3 Linear Approximation of the NLF . 5 2.4 Complexity Estimation . 5 3 Algebraic Attacks 6 4 Correlation Attacks 10 4.1 Introduction . 10 4.2 Combination Generators and Linear Complexity . 10 4.3 Description of the Correlation Attack . 11 4.4 Application of the Correlation Attack to KCipher-2 . 13 4.5 Fast Correlation Attacks . 14 5 Differential Attacks 14 5.1 Properties of Components . 14 5.1.1 Substitution . 15 5.1.2 Linear Permutation . 15 5.2 Key Ideas of the Attacks . 18 5.3 Related-Key Attacks . 19 5.4 Related-IV Attacks . 20 5.5 Related Key/IV Attacks . 21 5.6 Conclusion and Remarks . 21 6 Guess-and-Determine Attacks 25 6.1 Word-Oriented Guess-and-Determine . 25 6.2 Byte-Oriented Guess-and-Determine . 27 7 Period Considerations 28 8 Statistical Properties 29 9 Distinguishing Attacks 31 9.1 Preliminaries . 31 9.2 Mod n Cryptanalysis of Weakened KCipher-2 . 32 9.2.1 Other Reduced Versions of KCipher-2 .
    [Show full text]
  • Comparing Some Pseudo-Random Number Generators and Cryptography Algorithms Using a General Evaluation Pattern
    I.J. Information Technology and Computer Science, 2016, 9, 25-31 Published Online September 2016 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijitcs.2016.09.04 Comparing Some Pseudo-Random Number Generators and Cryptography Algorithms Using a General Evaluation Pattern Ahmad Gaeini Imam Husein Comprehensive University, Iran E-mail: [email protected] Abdolrasoul Mirghadri1, Gholamreza Jandaghi2, Behbod Keshavarzi3 1Imam Husein Comprehensive University, Iran, E-mail: [email protected] 2Corresponding Author, University of Tehran, Farabi College, E-mail: [email protected] 3Shahed University, E-mail: [email protected] Abstract—Since various pseudo-random algorithms and generated by using chaotic systems and perturbation and sequences are used for cryptography of data or as initial by choosing least significant bits (LSB’s).In [4] and [5], values for starting a secure communication, how these chaotic maps have been used to design a cryptographic algorithms are analyzed and selected is very important. In algorithm; furthermore, output sequence has been fact, given the growingly extensive types of pseudo- statistically analyzed and method has also been evaluated random sequences and block and stream cipher in term of vulnerability to a variety of attacks, which has algorithms, selection of an appropriate algorithm needs proved the security of algorithm. In [6], a new an accurate and thorough investigation. Also, in order to pseudorandom number generator based on a complex generate a pseudo-random sequence and generalize it to a number chaotic equation has been introduced and cryptographer algorithm, a comprehensive and regular randomness of the produced sequence has been proven by framework is needed, so that we are enabled to evaluate NIST tests.
    [Show full text]
  • Patent-Free Authenticated-Encryption As Fast As OCB
    Patent-Free Authenticated-Encryption As Fast As OCB Ted Krovetz Computer Science Department California State University Sacramento, California, 95819 USA [email protected] Abstract—This paper presents an efficient authenticated encryp- VHASH hash family [4]. The resulting authenticated encryp- tion construction based on a universal hash function and block tion scheme peaks at 12.8 cpb, while OCB peaks at 13.9 cpb in cipher. Encryption is achieved via counter-mode while authenti- our experiments. The paper closes with a performance com- cation uses the Wegman-Carter paradigm. A single block-cipher parison of several well-known authenticated encryption algo- key is used for both operations. The construction is instantiated rithms [6]. using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten per- cent slower than encryption alone. II. SECURITY DEFINITIONS We adopt the notions of security from [7], and summarize Keywords- Authenticated encryption, block-cipher mode-of- them less formally here. An authenticated encryption with as- operation, AEAD, UMAC, VMAC. sociated data (AEAD) scheme is a triple S = (K,E,D), where K is a set of keys, and E and D are encryption and decryption I. INTRODUCTION functions. Encryption occurs by computing E(k,n,h,p,f), which Traditionally when one wanted to both encrypt and authen- returns (c,t), for key k, nonce n, header h, plaintext m and ticate communications, one would encrypt the message under footer f. Ciphertext c is the encryption of p, and tag t authenti- one key and authenticate the resulting ciphertext under a sepa- cates h, c and f.
    [Show full text]
  • Modes of Operation for Compressed Sensing Based Encryption
    Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc
    [Show full text]
  • (DICOM) Supplement 206 – CRYPTREC TLS
    Digital Imaging and Communications in Medicine (DICOM) Supplement 206 – CRYPTREC TLS Profile Prepared by: DICOM Standards Committee, Working Group 6 1300 N. 17th Street Rosslyn, Virginia 22209 USA VERSION: Public Comment, 5 June 2018 This is a draft document. Do not circulate, quote, or reproduce it except with the approval of NEMA. Developed pursuant to DICOM Work Item 2017-04-D Template for DICOM Page i 1 Table of Contents 2 Scope and Field of Application ........................................................................................................................ i 3 Open Issues ..................................................................................................................................................... i 4 Changes to NEMA Standards Publication PS 3.15-2017d .............................................................................. ii 5 B.X THE CYPTREC TLS PROFILE ......................................................................................................... 2 6 Scope and Field of Application 7 This supplement adds a new Secure Connection profile to make DICOM consistent with the latest 8 recommendations from the Japanese CRYPTREC committee. 9 The CRYPTREC TLS Profile requires compliance with the IETF BCP 195 Recommendations for Secure 10 Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) plus support for the 11 additional cypher suites specified by the CRYPTREC committee. This profile requires that TLS negotiation 12 start with the strong security protection
    [Show full text]
  • Adding MAC Functionality to Edon80
    194 IJCSNS International Journal of Computer Science and Network Security, VOL.7 No.1, January 2007 Adding MAC Functionality to Edon80 Danilo Gligoroski and Svein J. Knapskog “Centre for Quantifiable Quality of Service in Communication Systems”, Norwegian University of Science and Technology, Trondheim, Norway Summary VEST. At the time of writing, it seams that for NLS and In this paper we show how the synchronous stream cipher Phelix some weaknesses have been found [11,12]. Edon80 - proposed as a candidate stream cipher in Profile 2 of Although the eSTREAM project does not accept anymore the eSTREAM project, can be efficiently upgraded to a any tweaks or new submissions, we think that the design synchronous stream cipher with authentication. We are achieving of an efficient authentication techniques as a part of the that by simple addition of two-bit registers into the e- internal definition of the remaining unbroken stream transformers of Edon80 core, an additional 160-bit shift register and by putting additional communication logic between ciphers of Phase 2 of eSTREAM project still is an neighboring e-transformers of the Edon80 pipeline core. This important research challenge. upgrade does not change the produced keystream from Edon80 Edon80 is one of the stream ciphers that has been and we project that in total it will need not more then 1500 gates. proposed for hardware based implementations (PROFILE A previous version of the paper with the same title that has been 2) [13]. Its present design does not contain an presented at the Special Workshop “State of the Art of Stream authentication mechanism by its own.
    [Show full text]
  • How to Enhance the Security of the 3GPP Confidentiality and Integrity
    How to Enhance the Security of the 3GPP Confidentiality and Integrity Algorithms Tetsu Iwata and Kaoru Kurosawa Dept. of Computer and Information Sciences, Ibaraki University 4–12–1 Nakanarusawa, Hitachi, Ibaraki 316-8511, Japan {iwata, kurosawa}@cis.ibaraki.ac.jp Abstract. We consider the 3GPP confidentiality and integrity schemes that were adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless communications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f9, where f9 is a generalized version of f9, it was shown that these proofs are incorrect; it is impossible to prove f8 and f9 secure under the standard PRP assumption on the underlying block cipher. Following the results, it was shown that it is possible to prove f8 and f9 secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f8 is a generalized version of f8. Needless to say, the assumptions here are stronger than the standard PRP assumptions, and it is natural to seek a practical way to modify f8 and f9 to establish security proofs under the standard PRP assumption. In this paper, we propose f8+ and f9+, slightly mod- ified versions of f8 and f9, but they allow proofs of security under the standard PRP assumption. Our results are practical in the sense that we insist on the minimal modifications; f8+ is obtained from f8 by setting the key modifier to all-zero, and f9+ is obtained from f9 by setting the key modifier to all-zero, and using the encryptions of two constants in the CBC MAC computation.
    [Show full text]
  • International Conference on Aquatic Invasive Species
    FINAL PROGRAM Global Action Against Aquatic Invasive Species October 22-26, 2017 Marriott Coral Springs Fort Lauderdale, Florida th 20International Conference on Aquatic Invasive Species Host Conference Secretariat ICAIS Steering Committee Tracey Cooke Lyn Gettys Conference Secretariat Chair, Technical Program Committee Executive Director, Invasive Species Centre University of Florida IFAS Center for Aquatic and Invasive Plants Technical Program Committee Sarah Bailey Sophie Monfette Fisheries and Oceans Canada Ontario Federation of Anglers and Hunters Becky Cudmore Alison Morris Fisheries and Oceans Canada Ontario Federation of Anglers and Hunters Erika Jensen Jeff Brinsmead Great Lakes Commission Ontario Ministry of Natural Resources and Forestry Jill Wingfield Stephen Phillips Great Lakes Fishery Commission Pacific States Marine Fisheries Commission Frances Lucy Jaimie T.A. Dick Institute of Technology, Sligo Queen's University Belfast Glenn Benoy Rob Leuven International Joint Commission Radboud University Nijmegen Rebecca Schroeder Renata Claudi Invasive Species Centre RNT Consulting Deb Sparks Douglas Jensen Invasive Species Centre University of Minnesota Sea Grant Program Lauren Tonelli Al Cofrancesco Invasive Species Centre U.S. Army Corps of Engineers Gail Wallin Linda Nelson Invasive Species Council of B.C. U.S. Army Corps of Engineers Conference Administrator Elizabeth Muckle-Jeffs The Professional Edge Toll Free (North America) 1-800-868-8776 International: 613-732-7068 E: [email protected] Web: www.icais.org
    [Show full text]