DOCSLIB.ORG

The Best of Both Worlds Authenticated Encryption Table of Contents

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Best of Both Worlds Authenticated Encryption Table of Contents Introduction Authenticated encryption The real McCoy The Best of Both Worlds Authenticated Encryption Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Introduction Authenticated encryption The real McCoy Table of contents Introduction Authenticated encryption The real McCoy Introduction Authenticated encryption The real McCoy Secrecy and integrity We began our studies with • techniques for obtaining secrecy and moved on to ensuring message integrity. Why not build systems that • ensure both at all times? Well there is an old saying ... • Introduction Authenticated encryption The real McCoy Our goal We seek an “ideally secure” • communication channel that provides both secrecy and integrity. Not so easy. Instead, we provide a • simpler set of definitions that treat secrecy and integrity separately, which suffices to understand the key issues. We begin with a CCA-secure • private-key encryption scheme ⇧ =(Gen,Enc,Dec).Since⇧ does not satisfy the syntax of a message authentication code, we must introduce a definition specific to the case. Introduction Authenticated encryption The real McCoy Unforgeable encryption schemes The unforgeable encryption experiment Enc-forge ,⇧(n): A 1. A random key k is generated by running Gen(1n). n 2. The adversary is given input 1 and oracle access to Enck ( ). The adversary eventuallyA outputs a ciphertext c. · 3. Let m := Deck (c)andlet denote the set of all queries that asked its encryption oracle.Q The output of the experiment is definedA to be 1 if and only if (1) m = ; and (2) m . 6 ? 62 Q Definition 4.16. A private-key encryption scheme ⇧ is unforgeable if for all probabilistic polynomial-time adversaries there exists a negligible function negl such that A Pr[Enc-forge ,⇧(n) = 1] negl(n). A Definition 4.17. A private-key encryption scheme is an authenticated encryption scheme if it is CCA-secure and unforgeable. Introduction Authenticated encryption The real McCoy It may be tempting to think ... Any reasonable combination of a • secure encryption scheme and a secure message authentication code should result in an authenticated encryption scheme. Not so fast, these things must be • done delicately or you ruin the spell. Let’s start with a CPA-secure • encryption scheme ⇧E =(Gen,End,Dec)anda message authentication code ⇧M = (Mac, Vrfy). Introduction Authenticated encryption The real McCoy Encrypt-and-authenticate* Encrypt-and-authenticate: Encryption and authentication are computed independently in parallel. That is given m,thesender transmits the ciphertext c, t where: h i c Enc (m)andt Mac (m) kE kM The receiver decrypts c to recover m;assumingnoerroroccurred, it then verifies the tag t.IfVrfykM (m, t) = 1 the receiver outputs m; otherwise it outputs an error. *We analyze this and other schemes when they are instantiated with ”generic” secure components, i.e., an arbitrary CPA-secure encryption and an arbitrary (strongly) secure MAC. Introduction Authenticated encryption The real McCoy Analysis of encrypt-and-authenticate This approach may not achieve • even the most basic level of secrecy, since a secure MAC does not guarantee any secrecy and so it it possible for the tag MackM (m)to leak information about m to an eavesdropper. In fact it is likely to be insecure • against chosen-plaintext attacks even when instantiated with standard components. In particular, if a deterministic • MAC like CBC-MAC is used, then the tag computed on a message is the same every time. This allows an eavesdropper to identify when the same message is sent twice. Introduction Authenticated encryption The real McCoy Authenticate-then-encrypt Authenticate-then-encrypt: Here a MAC tage t is first computed, and then the message and tag are encrypted together. That is, give a message m t Mac (m)andc Enc (m t). kM kE k The receiver decrypts c to recover m t;assumingnoerror k occurred, it then verifies the tag t.Asbefore,ifVrfykM (m, t)=1 the receiver outputs m; otherwise it outputs an error. Introduction Authenticated encryption The real McCoy Sad, but true This one fails too, even for some of our old CPA-secure favorites such as CBC-mode-with-padding. Recall this scheme works by first padding the plaintext (in our case m t) so the result is a multiple of the block length, and then encrypting thek result using CBC mode. There are two sources of potential decryption failure: A “bad-padding” error, the MAC tag does not verify.* *Assuming attacker can distinguish between the two, she can now apply the same chosen-ciphertext attack described earlier. Introduction Authenticated encryption The real McCoy Why not ensure there is only a single error message There may be legitimate reasons* • to have multiple error messages. Forcing the error messages to be • the same means that the combination is no longer truly generic. Most of all, it is extrordinarily hard • to ensure that the di↵erent errors cannot be distinguished.** *Usability, debugging, etc. **Even a di↵erence in the time to return each of these errors may be used to distinguish them. Introduction Authenticated encryption The real McCoy Encrypt-then-authenticate Encrypt-then-authenticate: In this case, the message m is first encrypted to obtain c and then a MAC tag t is computed over the result. The ciphertext is a pair c, t . That is, given a message m h i c EnckE (m)andt MackM c. If VrfykM (c, t)=1thereceiverdecryptsc and outputs the result; otherwise it outputs an error. Introduction Authenticated encryption The real McCoy A generic construction of an authenticate encryption scheme Construction 4.18. Let ⇧E =(Gen,Enc,Dec)beaprivate-key encryption scheme and let ⇧M = (Mac, Vrfy) be a message authentication code, where each key is a uniformly chosen n-bit value. Define a private-key encryption scheme (Gen’, Enc’, Dec’) as follows: Gen’: On input a key (k , k )andplaintextm, compute • E M Enc’: On input a key k 0, 1 n and a message m 0, 1 n, • 2 { } 2 { } compute c Enc (m)andt Mac c. Output the kE kM ciphertext c, t . h i Dec’: On input a key (kE , kM )andciphertext c, t ,first • ? h i check whether VrfykM (c, t) =1. If yes, then output DeckE (c); if no, then output . ? Introduction Authenticated encryption The real McCoy Party time: This approach is sound Strong security ensures that the adversary will be unable to generate any valid ciphertext that it did not receive from its encryption oracle, so the scheme is unforgeable. The MAC computed over the ciphertext has the e↵ect of rendering the decryption oracle useless, since for every ciphertext c, t h i submitted to the decryption oracle, either 1. The adversary already knows the decryption because it received c, t from its encryption oracle; or h i 2. The adversary will almost surely get an error since the adversary cannot generate any new, valid ciphertexts. This means CCA-security of the combined scheme reduces to the CPA-security of ⇧E . Introduction Authenticated encryption The real McCoy A real live authenticated encryption scheme Theorem 4.19. Let ⇧E =(Gen,Enc,Dec)beaCPAsecure private-key encryption scheme and let ⇧M = (Mac, Vrfy) be a a strongly secure message authentication code, then Construction 4.18 is an authenticated encryption scheme. Proof. let ⇧0 denote the scheme resulting from Construction 4.18. We need to show that ⇧0 is unforgeable, and that it is CCA-secure. Call a ciphertext c, t valid if Vrfy (c, t) = 1. We show that h i kM strong security of ⇧M implies that (except with negligible probability) any “new”* ciphertexts the adversary submits to the decryption oracle will be invalid. Let be a PPT adversary attacking Construction 4.18 in a A chosen-ciphertext attack and let ValidQuery be the event that A submits a new valid ciphertext to its decryption oracle. *Here, new means that did not receive c, t from its encryption oracle or as A h i the challenge ciphertext. Introduction Authenticated encryption The real McCoy Security against chosen-ciphertext attacks (CCA) revisited cca The CCA indistinguishability experiment PrivK ,⇧ (n): A 0 1. Akeyk is generated by running Gen(1n). 2. The adversary is given 1n and oracle access to Enc ( )and A k · Deck( ). It outputs a pair of messages m0, m1 of the same length.· 2 M 3. A random bit b 0, 1 is chosen. A challenge ciphertext { } c Enck (mb) is computed and given to . A 4. The adversary continues to have oracle access to Enck( )and Dec ( ), but isA not allowed to query the latter on the challenge· k · ciphertext. Eventually outputs a bit b0. A 5. The output of the experiment is defined to be 1 if b0 = b,and0 otherwise. We write PrivKeav (n)=1 if the output is 1 and in this ,⇧0 case we say that succeededA . A Introduction Authenticated encryption The real McCoy O↵ we go then Claim 4.20. Pr[ValidQuery] is negligible. Proof. Define M attacking ⇧M in experiment Mac-sforge M ,⇧M (n): Adversary :A is given 1n and access to oracle Mac A( ). AM AM kM · 1. Choose uniform k 0, 1 n and i 1,...,q(n) *. E 2 { } 2 { } 2. Run on input 1n.When makes an encryption-oracle query for m, answerA as follows: A 2.1 Compute c EnckE (m). 2.2 Query c to the MAC oracle and receive t.Return c, t to . h i A The challenge ciphertext is done the same way with b 0, 1 2 { } chosen to select mb. When M makes a decryption-oracle query for c, t ,answeras follows:A If this is the ith decryption-oracle query,h outputi c, t . Otherwise h i 2.1 If c, t was a response to a previous encryption-oracle query forh a messagei m,returnm.
Load more

Recommended publications
  • The Order of Encryption and Authentication for Protecting Communications (Or: How Secure Is SSL?)?
    The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)? Hugo Krawczyk?? Abstract. We study the question of how to generically compose sym- metric encryption and authentication when building \secure channels" for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combina- tion of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryp- tion and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an en- cryption function that provides (Shannon's) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, ¯nding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH. On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe. 1 Introduction The most widespread application of cryptography in the Internet these days is for implementing a secure channel between two end points and then exchanging information over that channel.
    [Show full text]
  • SHA-3 Update
    SHA+3%update% %% % Quynh%Dang% Computer%Security%Division% ITL,%NIST% IETF%86% SHA-3 Competition 11/2/2007% SHA+3%CompeDDon%Began.% 10/2/2012% Keccak&announced&as&the&SHA13&winner.& IETF%86% Secure Hash Algorithms Outlook ► SHA-2 looks strong. ► We expect Keccak (SHA-3) to co-exist with SHA-2. ► Keccak complements SHA-2 in many ways. Keccak is good in different environments. Keccak is a sponge - a different design concept from SHA-2. IETF%86% Sponge Construction Sponge capacity corresponds to a security level: s = c/2. IETF%86% SHA-3 Selection ► We chose Keccak as the winner because of many different reasons and below are some of them: ► It has a high security margin. ► It received good amount of high-quality analyses. ► It has excellent hardware performance. ► It has good overall performance. ► It is very different from SHA-2. ► It provides a lot of flexibility. IETF%86% Keccak Features ► Keccak supports the same hash-output sizes as SHA-2 (i.e., SHA-224, -256, -384, -512). ► Keccak works fine with existing applications, such as DRBGs, KDFs, HMAC and digital signatures. ► Keccak offers flexibility in performance/security tradeoffs. ► Keccak supports tree hashing. ► Keccak supports variable-length output. IETF%86% Under Consideration for SHA-3 ► Support for variable-length hashes ► Considering options: ► One capacity: c = 512, with output size encoding, ► Two capacities: c = 256 and c = 512, with output size encoding, or ► Four capacities: c = 224, c = 256, c=384, and c = 512 without output size encoding (preferred by the Keccak team). ► Input format for SHA-3 hash function(s) will contain a padding scheme to support tree hashing in the future.
    [Show full text]
  • Lecture9.Pdf
    Merkle- Suppose H is a Damgaord hash function built from a secure compression function : several to build a function ways keyed : m : = H Ilm 1 . end FCK ) (k ) Prep key , " " ↳ - Insecure due to structure of Merkle : can mount an extension attack: H (KH m) can Barnyard given , compute ' Hlkllmllm ) by extending Merkle- Danged chain = : m : 2 . FCK ) 11k) Append key , Hlm ↳ - - to : Similar to hash then MAC construction and vulnerable same offline attack adversary finds a collision in the - - > Merkle and uses that to construct a for SHA I used PDF files Barnyard prefix forgery f , they ↳ - Structure in SHA I (can matches exploited collision demonstration generate arbitrary collisions once prefix ) ' = : FCK m - H on h 3. method , ) ( K HMH K) for reasonable randomness ( both Envelope pseudo assumptions e.g , : = - = i - - : F ( m m } : h K m h m k 4. nest ( ki ) H Ck H (k m ( , and m ( ) is a PRF both Two , kz , ) (ka HH , )) F- , ) ) Falk , ) , ) key , - of these constructions are secure PRFS on a variable size domain hash- based MAC ✓ a the - nest with correlated : HMAC is PRF / MAC based on two key (though keys) : = m H H ka m HMACCK ( K H ( , )) , ) , where k ← k ④ and kz ← k to , ipad opad and and are fixed ( in the HMAC standard) ipad opad strings specified I 0×36 repeated %x5C repeated : k . a Since , and ka are correlated need to make on h remains under Sety , stronger assumption security leg , pseudorandom related attack) Instantiations : denoted HMAC- H where H is the hash function Typically , HMAC- SHAI %" - - HMAC SHA256
    [Show full text]
  • Authenticated Key-Exchange: Protocols, Attacks, and Analyses
    The HMAC construction: A decade later Ran Canetti IBM Research What is HMAC? ● HMAC: A Message Authentication Code based on Cryptographic Hash functions [Bellare-C-Krawczyk96]. ● Developed for the IPSec standard of the Internet Engineering Task Force (IETF). ● Currently: - incorporated in IPSec, SSL/TLS, SSH, Kerberos, SHTTP, HTTPS, SRTP, MSEC, ... - ANSI and NIST standards - Used daily by all of us. Why is HMAC interesting? ● “Theoretical” security analysis impacts the security of real systems. ● Demonstrates the importance of modelling and abstraction in practical cryptography. ● The recent attacks on hash functions highlight the properties of the HMAC design and analysis. ● Use the HMAC lesson to propose requirements for the next cryptographic hash function. Organization ● Authentication, MACs, Hash-based MACs ● HMAC construction and analysis ● Other uses of HMAC: ● Pseudo-Random Functions ● Extractors ● What properties do we want from a “cryptographic hash function”? Authentication m m' A B The goal: Any tampering with messages should be detected. “If B accepts message m from A then A has sent m to B.” • One of the most basic cryptographic tasks • The basis for any security-conscious interaction over an open network Elements of authentication The structure of typical cryptographic solutions: • Initial entity authentication: The parties perform an initial exchange, bootstrapping from initial trusted information on each other. The result is a secret key that binds the parties to each other. • Message authentication: The parties use the key to authenticate exchanged messages via message authentication codes. Message Authentication Codes m,t m',t' A B t=FK(m) t' =? FK(m') • A and B obtain a common secret key K • A and B agree on a keyed function F • A sends t=FK(m) together with m • B gets (m',t') and accepts m' if t'=FK(m').
    [Show full text]
  • GCM) for Confidentiality And
    NIST Special Publication 800-38D Recommendation for Block DRAFT (April, 2006) Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication Morris Dworkin C O M P U T E R S E C U R I T Y Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of operation for a symmetric key block cipher. KEY WORDS: authentication; block cipher; cryptography; information security; integrity; message authentication code; mode of operation. i Table of Contents 1 PURPOSE...........................................................................................................................................................1 2 AUTHORITY.....................................................................................................................................................1 3 INTRODUCTION..............................................................................................................................................1 4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS.................................................................................2 4.1 DEFINITIONS AND ABBREVIATIONS .............................................................................................................2 4.2 SYMBOLS ....................................................................................................................................................4 4.2.1 Variables................................................................................................................................................4
    [Show full text]
  • Hello, and Welcome to This Presentation of the STM32 Hash Processor
    Hello, and welcome to this presentation of the STM32 hash processor. 1 Hash peripheral is in charge of efficient computing of message digest. A digest is a fixed-length value computed from an input message. A digest is unique - it is virtually impossible to find two messages with the same digest. The original message cannot be retrieved from its digest. Hash digests and Hash-based Message Authentication Code (HMAC) are widely used in communication since they are used to guarantee the integrity and authentication of a transfer. 2 The hash processor supports widely used hash functions including Message Digest 5 (MD5), Secure Hash Algorithm SHA-1 and the more recent SHA-2 with its 224- and 256- bit digest length versions. A hash can also be generated with a secrete-key to produce a message authentication code (MAC). The processor supports bit, byte and half-word swapping. It supports also automatic padding of input data for block alignment. The processor can be used in conjunction with the DMA for automatic processor feeding. 3 All supported hash functions work on 512-bit blocks of data. The input message is split as many times as needed to feed the hash processor. Subsequent blocks are computed sequentially. MD5 is the less robust function with only a 128-bit digest. The SHA standard has two versions SHA-1 and the more recent SHA-2 with its 224- and 256-bit digest length versions. 4 The hash-based message authentication code (HMAC) is used to authenticate messages and verify their integrity. The HMAC function consists of two nested Hash function with a secrete key that is shared by the sender and the receiver.
    [Show full text]
  • Speeding up OMD Instantiations in Hardware
    Speeding Up OMD Instantiations in Hardware Diana Maimuţ1[0000−0002−9541−5705] and Alexandru Ştefan Mega1,2[0000−0002−9541−1114] 1 Advanced Technologies Institute 10 Dinu Vintilă, Bucharest, Romania {diana.maimut,ati}@dcti.ro 2 Politehnica University of Bucharest Bucharest, Romania [email protected] Abstract. Particular instantiations of the Offset Merkle Damgård au- thenticated encryption scheme (OMD) represent highly secure alterna- tives for AES-GCM. It is already a fact that OMD can be efficiently implemented in software. Given this, in our paper we focus on speeding- up OMD in hardware, more precisely on FPGA platforms. Thus, we propose a new OMD instantiation based on the compression function of BLAKE2b. Moreover, to the best of our knowledge, we present the first FPGA implementation results for the SHA-512 instantiation of OMD as well as the first architecture of an online authenticated encryption system based on OMD. Keywords: Authenticated encryption, pseudorandom function, compression function, provable security, FPGA, hardware optimization, nonce respecting ad- versaries. 1 Introduction Authenticated encryption (AE) primitives ensure both message confidentiality and authenticity. Initially, AE algorithms achieved confidentiality and integrity by combining two distinct cryptographic primitives (one for each of the two goals). Around two decades ago the perspective of having a unique primitive for confidentiality and integrity started to appear. Rogaway [16] extended AE schemes by adding a new type of input for associated data (AD) and, thus, AEAD (authenticated encryption with associated data) was the next step. Such a model is helpful in real world scenario in which part of the message (e.g. a header) needs only to be authenticated.
    [Show full text]
  • Hashes, Macs & Authenticated Encryption Today's Lecture Hashes
    Today’s Lecture • Hashes and Message Authentication Codes Hashes, MACs & • Properties of Hashes and MACs Authenticated Encryption • CBC-MAC, MAC -> HASH (slow), • SHA1, SHA2, SHA3 Tom Chothia • HASH -> MAC, HMAC ICS Lecture 4 • Authenticated Encryption – CCM Hashes Signatures l A hash of any message is a short string • Using RSA Epub(Dpriv(M)) = M generated from that message. • This can be used to sign messages. l The hash of a message is always the same. l Any small change makes the hash totally • Sign a message with the private key and this can be different. verified with the public key. l It is very hard to go from the hash to the message. • Any real crypto suite will not use the same key for encryption and signing. l It is very unlikely that any two different messages have the same hash. – as this can be used to trick people into decrypting. Signatures Uses of Hashing Alice has a signing key Ks • Download/Message verification and wants to sign message M Plain Text • Tying parts of a message together (hash the whole message) Detached Signature: Dks(#(M)) RSA decrypt with key ks SHA hash • Hash message, then sign the hash. • Protect Passwords Signed: M,Dks(#(M)) – Store the hash, not the password 1 Attacks on hashes Birthday Paradox • Preimage Attack: Find a message for a • How many people do you need to ask given hash: very hard. before you find 2 that have the same birthday? • Prefix Collision Attack: a collision attack where the attacker can pick a prefix for • 23 people, gives (23*22)/2 = 253 pairs.
    [Show full text]
  • Message Authentication Codes
    MessageMessage AuthenticationAuthentication CodesCodes Was this message altered? Did he really send this? Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 12-1 OverviewOverview 1. Message Authentication 2. MACS based on Hash Functions: HMAC 3. MACs based on Block Ciphers: DAA and CMAC 4. Authenticated Encryption: CCM and GCM 5. Pseudorandom Number Generation Using Hash Functions and MACs These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-2 MessageMessage SecuritySecurity RequirementsRequirements Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Source repudiation Destination repudiation Message Authentication = Integrity + Source Authentication Washington University in St. Louis CSE571S ©2011 Raj Jain 12-3 PublicPublic--KeyKey AuthenticationAuthentication andand SecrecySecrecy A B’s Public A’s PrivateMessage B A Key Key B Double public key encryption provides authentication and integrity. Double public key Very compute intensive Crypto checksum (MAC) is better. Based on a secret key and the message. Can also encrypt with the same or different key. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-4 MACMAC PropertiesProperties A MAC is a cryptographic checksum MAC = CK(M) Condenses a variable-length message M using a secret key To a fixed-sized authenticator Is a many-to-one function Potentially many messages have same MAC But finding these needs to be very difficult Properties: 1.
    [Show full text]
  • Authenticated Encryption Mode IAPM Using SHA-3'S Public Random
    Authenticated Encryption Mode IAPM using SHA-3’s Public Random Permutation Charanjit Jutla IBM T. J. Watson Research Center New York 10598 Abstract. We study instantiating the random permutation of the block- cipher mode of operation IAPM (Integrity-Aware Parallelizable Mode) with the public random permutation of Keccak, on which the draft stan- dard SHA-3 is built. IAPM and the related mode OCB are single-pass highly parallelizable authenticated-encryption modes, and while they were originally proven secure in the private random permutation model, Kurosawa has shown that they are also secure in the public random per- mutation model assuming the whitening keys are uniformly chosen with double the usual entropy. In this paper, we show a general composabil- ity result that shows that the whitening key can be obtained from the usual entropy source by a key-derivation function which is itself built on Keccak. We stress that this does not follow directly from the usual indifferentiability of key-derivation function constructions from Random Oracles. We also show that a simple and general construction, again employing Keccak, can also be used to make the IAPM scheme key- dependent-message secure. Finally, implementations on modern AMD-64 architecture supporting 128-bit SIMD instructions, and not supporting the native AES instructions, show that IAPM with Keccak runs three times faster than IAPM with AES. 1 Introduction Symmetric key encryption of bulk data is usually performed using either a stream cipher or a block cipher. A long message is divided into small fixed-size blocks and encryption is performed by either a stream-cipher mode or a block-cipher mode employing a cryptographic primitive that operates on blocks.
    [Show full text]
  • Stronger Security Variants of GCM-SIV
    Stronger Security Variants of GCM-SIV Tetsu Iwata1 and Kazuhiko Minematsu2 1 Nagoya University, Nagoya, Japan, [email protected] 2 NEC Corporation, Kawasaki, Japan, [email protected] Abstract. At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 248 queries, where each query has one plaintext block. This shows the tightness of the security claim and does not contradict the provable security result. However, the original GCM resists the attack, and this poses a question of designing a variant of GCM-SIV that is secure against the attack. We present a minor variant of GCM-SIV, which we call GCM-SIV1, and discuss that GCM-SIV1 resists the attack, and it offers a security trade-off compared to GCM-SIV. As the main contribution of the paper, we explore a scheme with a stronger security bound. We present GCM-SIV2 which is obtained by running two instances of GCM-SIV1 in parallel and mixing them in a simple way. We show that it is secure up to 285.3 query complexity, where the query complexity is measured in terms of the total number of blocks of the queries. Finally, we generalize this to show GCM-SIVr by running r instances of GCM-SIV1 in parallel, where r ≥ 3, and show that the scheme is secure up to 2128r/(r+1) query complexity.
    [Show full text]
  • FIPS 198, the Keyed-Hash Message Authentication Code (HMAC)
    ARCHIVED PUBLICATION The attached publication, FIPS Publication 198 (dated March 6, 2002), was superseded on July 29, 2008 and is provided here only for historical purposes. For the most current revision of this publication, see: http://csrc.nist.gov/publications/PubsFIPS.html#198-1. FIPS PUB 198 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION The Keyed-Hash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8900 Issued March 6, 2002 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Philip J. Bond, Under Secretary National Institute of Standards and Technology Arden L. Bement, Jr., Director Foreword The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Computer Security Act of 1987 (Public Law 100-235). These mandates have given the Secretary of Commerce and NIST important responsibilities for improving the utilization and management of computer and related telecommunications systems in the Federal government. The NIST, through its Information Technology Laboratory, provides leadership, technical guidance, and coordination of government efforts in the development of standards and guidelines in these areas. Comments concerning Federal Information Processing Standards Publications are welcomed and should be addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900. William Mehuron, Director Information Technology Laboratory Abstract This standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions.
    [Show full text]