DOCSLIB.ORG

Hash Functions & Macs ECE 646 Lecture 9

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Hash Functions & Macs ECE 646 Lecture 9 ECE 646 Lecture 9 Required Reading W. Stallings, "Cryptography and Network-Security,” Chapter 11 Cryptographic Hash Functions Appendix 11A Mathematical Basis of Birthday Attack Hash functions & MACs Chapter 12 Message Authentication Codes Recommended Reading SHA-3 Competition 2007-2012 http://csrc.nist.gov/groups/ST/hash/sha-3 Digital Signature Hash function Alice Bob arbitrary length Message Signature Message Signature m message Hash Hash function function hash h Hash value 1 function Hash value yes no Hash value 2 Public key Public key h(m) hash value algorithm algorithm fixed length Alices private key Alices public key Vocabulary Hash functions Basic requirements hash function hash value 1. Public description, NO key message digest message digest hash total 2. Compression fingerprint arbitrary length input ® fixed length output imprint 3. Ease of computation cryptographic checksum compressed encoding MDC, Message Digest Code 1 Hash functions Hash functions Security requirements Dependence between requirements It is computationally infeasible Given To Find 1. Preimage resistance 2nd preimage resistant y x, such that h(x) = y collision resistant 2. 2nd preimage resistance x ¹ x, such that x and y=h(x) h(x) = h(x) = y 3. Collision resistance x ¹ x, such that h(x) = h(x) Hash functions Brute force attack against (unkeyed) One-Way Hash Function Given y mi One-Way Collision-Resistant i=1..2n Hash Functions Hash Functions 2n messages with the contents required by the forger OWHF CRHF h preimage resistance ? 2nd preimage resistance h(mi) = y collision resistance n - bits Creating multiple versions of Brute force attack against Yuval the required message Collision Resistant Hash Function state thereby borrowed I confirm - that I received r messages r messages acceptable for the signer required by the forger $10,000 Mr. Kris from m m ten thousand dollars Dr. Krzysztof i i=1..r j j=1..r December 4, money h h Gaj on 2018. This 12 / 04 / sum of money should returned Mr. h(mi) h(mj) be to Gaj is required to given back Dr. n - bits n - bits 18th December by the day of 2018. h(mi) = h(mj) eighteenth Dec. 2 Creating multiple versions of Message acceptable for the signer the required message state thereby borrowed state thereby December 4, I that on 2018 I confirm - that I received confirm - 12 / 04 / borrowed Mr. Kris paper $10,000 Mr. Kris I from a from received Dr. Krzysztof manuscript ten thousand dollars Dr. Krzysztof security of Ethereum blockchains. text money on This December 4, side-channel attacks for PQC. item Gaj on 2018. This 12 / 04 / sum of money should returned be Mr. should returned Mr. to Gaj be to Gaj is required to given back Dr. is required to given back Dr. 18th December 18th December by the day of 2018. by the day of 2018. eighteenth Dec. eighteenth Dec. Birthday paradox Birthday paradox How many students must be in a class so that How many students must be in a class so that there is a greater than 50% chance that there is a greater than 50% chance that 1. one of the students shares the teachers 1. one of the students shares the teachers birthday (up to the day and month)? birthday (day and month)? 2. any two of the students share the same ~ 366/2 = 183 birthday (up to the day and month)? 2. any two of the students share the same birthday (day and month)? ~Ö 366 » 19 Brute force attack against Brute force attack against Collision Resistant Hash Function Collision Resistant Hash Function Storage requirements Probability p that two different messages have the same hash value: J.J. Quisquater r2 p = 1 − exp (− ) collision search algorithm 2n n/2 n/2 For r = 2n/2 p = 63% Number of operations: 2 Ö p/2 · 2 » 2.5 · 2 Storage: Negligible 3 Hash value size Hash function algorithms One-Way Collision-Resistant Customized Based on Based on Older algorithms (currently insecure): (dedicated) block ciphers modular arithmetic n ³ 64 n ³ 128 MD2 MDC-2 MASH-1 Rivest 1988 8 bytes 16 bytes MDC-4 1988-1996 MD4 IBM, Brachtl, Meyer, Schilling, 1988 Old standards: Rivest 1990 n ³ 80 n ³ 160 10 bytes 20 bytes MD5 SHA-0 RIPEMD NSA, 1992 Current standards (e.g., SHA-2, SHA-3): Rivest 1990 European RACE Integrity Primitives Evaluation Project, 1992 n = 128, 192, 256 n = 256, 384, 512 SHA-1 NSA, 1995 RIPEMD-160 16, 24, 32 bytes 32, 48, 64 bytes SHA-256, SHA-384, SHA-512 NSA, 2000 Attacks against dedicated hash functions What was discovered in 2004-2005? known by 2004 partially broken broken; MD2 MD4 Wang, Feng, Lai, Yu, Crypto 2004 (manually, without using a computer) broken, H. Dobbertin, 1995 MD4 (one hour on PC, 20 free bytes at the start of the message) broken; MD5 attack with 240 operations Wang, Feng, weakness Lai, Yu, broken; SHA-0 Crypto 2004 RIPEMD Crypto 2004 MD5 SHA-0 discovered, RIPEMD Wang, Feng, Lai, Yu attack with (manully, without 1995 NSA, reduced round Crypto 2004 partially broken, 263 operations using a computer) 1998 France version broken, (1 hr on a PC) SHA-1 collisions for the Wang, Yin, Dobbertin 1995 RIPEMD-160 compression function, Yu, Aug 2005 Dobbertin, 1996 SHA-1 (10 hours on PC) RIPEMD-160 SHA-256, SHA-384, SHA-512 SHA-256, SHA-384, SHA-512 263 operations Recommendations of NIST (1) Schneier, 2005 In hardware: NIST Brief Comments on Recent Cryptanalytic Attacks on SHA-1 Feb 2005 Machine similar to the one used to break DES: The new attack is applicable primarily Cost = $50,000-$70,000 Time: 18 days to the use of hash functions in digital signatures. or Cost = $0.9-$1.26M Time: 24 hours In many cases applications of digital signatures introduce additional context information, In software: which may make attacks impracticle. Computer network similar to distributed.net used to break DES (~331,252 computers) : Other applications of hash functions, such as Message Authentication Codes (MACs), Cost = ~ $0 Time: 7 months are not threatened by the new attacks. 4 SHA-3 Contest Timeline Recommendations of NIST (2) 2007 • publication of requirements NIST was already earlier planning to withdraw SHA-1 • 29.X. 2007: request for candidates 2008 in favor of SHA-224, SHA-256, SHA-384 & SHA-512 • 31.X.2008: deadline for submitting candidates by 2010. • 9.XII.2008: announcement of 51 candidates accepted for Round 1 2009 • 25-28.II.2009: 1st SHA-3 Candidate Conference, Leuven, Belgium New implementations should use new hash functions. • 24.VII.2009: 14 Round 2 candidates announced 2010 • 23-24.VIII.2010: 2nd SHA-3 Candidate Conference, Santa Barbara, CA NIST encourages government agancies to develop plans • 9.XII.2010: 5 Round 3 candidates announced for gradually moving towards new hash functions, 2012 taking into account the sensitivity of the systems • 22-23.III.2012: 3rd SHA-3 Candidate Conference, Washington, D.C. • 2.X.2012: selection of the winner when setting the timetables. 2014: • 28.V.2014: draft version of the standard published 2015: • 5.VIII.2015: final version of the standard published Number of Submissions Basic Requirements for a new hash function • Number of submissions received by NIST: • Must support hash values of 64 224, 256, 384 and 512 bits • Available worldwide without licensing fees • Number of submissions publicly available: • Secure over tens of years 56 • Suitable for use in - digital signatures FIPS 186 • Number of submissions qualified to the first round: - message authentication codes, HMAC, FIPS 198 51 - key agreement schemes, SP 800-56A - random number generators, SP 800-90 • At least the same security level as SHA-2 with increased efficiency SHA-3 Contest: 2008-2012 FPGA Benchmarking of Round 2 Candidates Altera Xilinx Technology Low-cost High- Low-cost High- Round 1 Round 2 Round 3 51 performance performance 14 candidates 5 1 Jul. 2009 Dec. 2010 Oct. 2012 90 nm CycloneDesigners: II Stratix II Spartan 3 Virtex 4 Oct. 2008 65 nm Cyclone III Stratix III Virtex 5 Hardware benchmarking Designers: Security Analysis & Software Benchmarking Marcin Ekawat Rogawski Homsirikamol (“Ice”) 29 30 5 ATHENa – Automated Tool for Hardware EvaluatioN ATHENa Inputs/Outputs • Open-source configuration files • Written in Perl • Developed 2009-2012 testbench • Automated search for optimal synthesizable source files § Options of tools § Target frequency § Starting placement point • Supporting Xilinx ISE & Altera Quartus OR FPL Community Award 2010 result summary database entries Milan, Italy, Sep. 2010 (human-friendly) (machine- friendly) Image of Athena Goddess courtesy of Carolyn Angus 31 32 ATHENa Database of Results ATHENa Gains http://cryptography.gmu.edu/athenadb 3 Area 2.5 Thr 2 Thr/Area 1.5 1 0.5 0 Ratios of results obtained using ATHENa suggested options vs. default options of FPGA tools 33 34 ATHENa Gains Why ATHENa? "The Greek goddess Athena was frequently called upon to settle disputes between the gods or various mortals. Athena Goddess of Wisdom was “working” with ATHENa… known for her superb logic and intellect. Her decisions were usually well-considered, highly ethical, and seldom motivated by self-interest.” old days… from "Athena, Greek Goddess of Wisdom and Craftsmanship" 35 36 6 SHA-3 Round 2 Results: 14 candidates Research: Multiple Architectures Throughput Horizontal Folding • datapath width = state size Best: Fast & Small /2(h) • two clock cycles per one round/step Throughput /2(h) Th x1 Worst: Slow & Big Area Area A Throughput vs. Area: Normalized to Results for SHA-2 and Averaged over 7 FPGA Families Typically Throughput/Area ratio increases 37 38 Research: Design Space Exploration Research: Design Space Exploration All Final SHA-3 Candidates (Keccak, SHA-2, JH, BLAKE, Groestl) Results for BLAKE & the old standard SHA-2 39 40 Research: FPGA vs.
Load more

Recommended publications
  • The Order of Encryption and Authentication for Protecting Communications (Or: How Secure Is SSL?)?
    The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)? Hugo Krawczyk?? Abstract. We study the question of how to generically compose sym- metric encryption and authentication when building \secure channels" for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combina- tion of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryp- tion and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an en- cryption function that provides (Shannon's) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, ¯nding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH. On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe. 1 Introduction The most widespread application of cryptography in the Internet these days is for implementing a secure channel between two end points and then exchanging information over that channel.
    [Show full text]
  • Authenticated Key-Exchange: Protocols, Attacks, and Analyses
    The HMAC construction: A decade later Ran Canetti IBM Research What is HMAC? ● HMAC: A Message Authentication Code based on Cryptographic Hash functions [Bellare-C-Krawczyk96]. ● Developed for the IPSec standard of the Internet Engineering Task Force (IETF). ● Currently: - incorporated in IPSec, SSL/TLS, SSH, Kerberos, SHTTP, HTTPS, SRTP, MSEC, ... - ANSI and NIST standards - Used daily by all of us. Why is HMAC interesting? ● “Theoretical” security analysis impacts the security of real systems. ● Demonstrates the importance of modelling and abstraction in practical cryptography. ● The recent attacks on hash functions highlight the properties of the HMAC design and analysis. ● Use the HMAC lesson to propose requirements for the next cryptographic hash function. Organization ● Authentication, MACs, Hash-based MACs ● HMAC construction and analysis ● Other uses of HMAC: ● Pseudo-Random Functions ● Extractors ● What properties do we want from a “cryptographic hash function”? Authentication m m' A B The goal: Any tampering with messages should be detected. “If B accepts message m from A then A has sent m to B.” • One of the most basic cryptographic tasks • The basis for any security-conscious interaction over an open network Elements of authentication The structure of typical cryptographic solutions: • Initial entity authentication: The parties perform an initial exchange, bootstrapping from initial trusted information on each other. The result is a secret key that binds the parties to each other. • Message authentication: The parties use the key to authenticate exchanged messages via message authentication codes. Message Authentication Codes m,t m',t' A B t=FK(m) t' =? FK(m') • A and B obtain a common secret key K • A and B agree on a keyed function F • A sends t=FK(m) together with m • B gets (m',t') and accepts m' if t'=FK(m').
    [Show full text]
  • Hello, and Welcome to This Presentation of the STM32 Hash Processor
    Hello, and welcome to this presentation of the STM32 hash processor. 1 Hash peripheral is in charge of efficient computing of message digest. A digest is a fixed-length value computed from an input message. A digest is unique - it is virtually impossible to find two messages with the same digest. The original message cannot be retrieved from its digest. Hash digests and Hash-based Message Authentication Code (HMAC) are widely used in communication since they are used to guarantee the integrity and authentication of a transfer. 2 The hash processor supports widely used hash functions including Message Digest 5 (MD5), Secure Hash Algorithm SHA-1 and the more recent SHA-2 with its 224- and 256- bit digest length versions. A hash can also be generated with a secrete-key to produce a message authentication code (MAC). The processor supports bit, byte and half-word swapping. It supports also automatic padding of input data for block alignment. The processor can be used in conjunction with the DMA for automatic processor feeding. 3 All supported hash functions work on 512-bit blocks of data. The input message is split as many times as needed to feed the hash processor. Subsequent blocks are computed sequentially. MD5 is the less robust function with only a 128-bit digest. The SHA standard has two versions SHA-1 and the more recent SHA-2 with its 224- and 256-bit digest length versions. 4 The hash-based message authentication code (HMAC) is used to authenticate messages and verify their integrity. The HMAC function consists of two nested Hash function with a secrete key that is shared by the sender and the receiver.
    [Show full text]
  • Message Authentication Codes
    MessageMessage AuthenticationAuthentication CodesCodes Was this message altered? Did he really send this? Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 12-1 OverviewOverview 1. Message Authentication 2. MACS based on Hash Functions: HMAC 3. MACs based on Block Ciphers: DAA and CMAC 4. Authenticated Encryption: CCM and GCM 5. Pseudorandom Number Generation Using Hash Functions and MACs These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-2 MessageMessage SecuritySecurity RequirementsRequirements Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Source repudiation Destination repudiation Message Authentication = Integrity + Source Authentication Washington University in St. Louis CSE571S ©2011 Raj Jain 12-3 PublicPublic--KeyKey AuthenticationAuthentication andand SecrecySecrecy A B’s Public A’s PrivateMessage B A Key Key B Double public key encryption provides authentication and integrity. Double public key Very compute intensive Crypto checksum (MAC) is better. Based on a secret key and the message. Can also encrypt with the same or different key. Washington University in St. Louis CSE571S ©2011 Raj Jain 12-4 MACMAC PropertiesProperties A MAC is a cryptographic checksum MAC = CK(M) Condenses a variable-length message M using a secret key To a fixed-sized authenticator Is a many-to-one function Potentially many messages have same MAC But finding these needs to be very difficult Properties: 1.
    [Show full text]
  • Stronger Security Variants of GCM-SIV
    Stronger Security Variants of GCM-SIV Tetsu Iwata1 and Kazuhiko Minematsu2 1 Nagoya University, Nagoya, Japan, [email protected] 2 NEC Corporation, Kawasaki, Japan, [email protected] Abstract. At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 248 queries, where each query has one plaintext block. This shows the tightness of the security claim and does not contradict the provable security result. However, the original GCM resists the attack, and this poses a question of designing a variant of GCM-SIV that is secure against the attack. We present a minor variant of GCM-SIV, which we call GCM-SIV1, and discuss that GCM-SIV1 resists the attack, and it offers a security trade-off compared to GCM-SIV. As the main contribution of the paper, we explore a scheme with a stronger security bound. We present GCM-SIV2 which is obtained by running two instances of GCM-SIV1 in parallel and mixing them in a simple way. We show that it is secure up to 285.3 query complexity, where the query complexity is measured in terms of the total number of blocks of the queries. Finally, we generalize this to show GCM-SIVr by running r instances of GCM-SIV1 in parallel, where r ≥ 3, and show that the scheme is secure up to 2128r/(r+1) query complexity.
    [Show full text]
  • FIPS 198, the Keyed-Hash Message Authentication Code (HMAC)
    ARCHIVED PUBLICATION The attached publication, FIPS Publication 198 (dated March 6, 2002), was superseded on July 29, 2008 and is provided here only for historical purposes. For the most current revision of this publication, see: http://csrc.nist.gov/publications/PubsFIPS.html#198-1. FIPS PUB 198 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION The Keyed-Hash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8900 Issued March 6, 2002 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Philip J. Bond, Under Secretary National Institute of Standards and Technology Arden L. Bement, Jr., Director Foreword The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Computer Security Act of 1987 (Public Law 100-235). These mandates have given the Secretary of Commerce and NIST important responsibilities for improving the utilization and management of computer and related telecommunications systems in the Federal government. The NIST, through its Information Technology Laboratory, provides leadership, technical guidance, and coordination of government efforts in the development of standards and guidelines in these areas. Comments concerning Federal Information Processing Standards Publications are welcomed and should be addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900. William Mehuron, Director Information Technology Laboratory Abstract This standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions.
    [Show full text]
  • Message Authentication Aspects of Message Authentication Message
    Message authentication Message (or document) is authentic if • It is genuine and Message authentication and came from its alleged source. hash functions • Message authentication is a procedure which verifies that received messages are authentic COMP 522 COMP 522 Aspects of message authentication Message authentication techniques We would like to ensure that • Using conventional message encryption: • The content of the message has not been if we assume that only sender and receiver share a secret changed; key then the fact that receiver can successfully decrypt the message means the message has been encrypted by the • The source of the message is authentic; sender • The message has not been delayed and replayed; • Without message encryption The message is not encrypted, but special authentication tag is generated and appended to the message. Generation of a tag is a much more efficient procedure that encryption of the message. COMP 522 COMP 522 1 Message Authentication Code Message authentication using MAC • Let A and B share a common secret key K • If A would like to send a message M to B, she calculates a message authentication code MAC of M using the key K : MAC = F(K,M) • Then A appends MAC to M and sends all this to B; • B applies the MAC algorithm to the received message and compares the result with the received MAC COMP 522 COMP 522 MAC algorithms One-way Hash functions • The process of MAC generation is similar to the • An alternative method for the message encryption; authentication is to use one-way hash functions • The difference is a MAC algorithm need not be instead of MAC; reversible Æ easier to implement and less • The main difference is hash functions don’t use a vulnerable to being broken; secret key: • Actually, standard encryption algorithms can be h = H(M); used for MAC generation: • “One-way” in the name refers to the property of • For example, a message may be encrypted with DES such functions: they are easy to compute, but their and then last 16 or 32 bits of the encrypted text may be reverse functions are very difficult to compute.
    [Show full text]
  • Reconsidering the Security Bound of AES-GCM-SIV
    Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata1 and Yannick Seurin2 1 Nagoya University, Japan [email protected] 2 ANSSI, Paris, France [email protected] Abstract. We make a number of remarks about the AES-GCM-SIV nonce-misuse resis- tant authenticated encryption scheme currently considered for standardization by the Crypto Forum Research Group (CFRG). First, we point out that the security analysis proposed in the ePrint report 2017/168 is incorrect, leading to overly optimistic security claims. We correct the bound and re-assess the security guarantees offered by the scheme for various parameters. Second, we suggest a simple modification to the key derivation function which would improve the security of the scheme with virtually no efficiency penalty. Keywords: authenticated encryption · AEAD · GCM-SIV · AES-GCM-SIV · CAESAR competition 1 Introduction Authenticated Encryption. An authenticated encryption scheme aims at providing both confidentiality and authenticity when communicating over an insecure channel. The recent CAESAR competition [CAE] has spawned a lot of candidate schemes as well as more theoretical works on the subject. One of the most widely deployed AEAD schemes today is GCM [MV04], which combines, in the “encrypt-then-MAC” fashion [BN00], a Wegman-Carter MAC [WC81, Sho96] based on a polynomial hash function called GHASH, and the counter encryption mode [BDJR97]. GCM is nonce-based [Rog04], i.e., for each encryption the sender must provide a non- repeating value N. Unfortunately, the security of GCM becomes very brittle in case the same nonce N is reused (something called nonce-misuse), in particular a simple attack allows to completely break authenticity [Jou06, BZD+16] (damages to confidentiality are to some extent less dramatic [ADL17]).
    [Show full text]
  • Message Authentication Code
    Introduction to Cryptography CS 355 Lecture 28 Message Authentication Code CS 355 Fall 2005 / Lecture 28 1 Lecture Outline • Message Authentication Code (MAC) • Security properties of MAC CS 355 Fall 2005 / Lecture 28 2 Data Integrity and Source Authentication • Encryption does not protect data from modification by another party. • Need a way to ensure that data arrives at destination in its original form as sent by the sender and it is coming from an authenticated source. CS 355 Fall 2005 / Lecture 28 3 Limitation of Using Hash Functions for Authentication • Require an authentic channel to transmit the hash of a message – anyone can compute the hash value of a message, as the hash function is public – not always possible • How to address this? – use more than one hash functions – use a key to select which one to use CS 355 Fall 2005 / Lecture 28 4 Hash Family • A hash family is a four-tuple (X,Y,K,H ), where – X is a set of possible messages – Y is a finite set of possible message digests – K is the keyspace – For each KÎK, there is a hash function hKÎH . Each hK: X ®Y • Alternatively, one can think of H as a function K´X®Y CS 355 Fall 2005 / Lecture 28 5 Message Authentication Code • A MAC scheme is a hash family, used for message authentication • MAC = CK(M) • The sender and the receiver share K • The sender sends (M, Ck(M)) • The receiver receives (X,Y) and verifies that CK(X)=Y, if so, then accepts the message as from the sender • To be secure, an adversary shouldn’t be able to come up with (X,Y) such that CK(X)=Y.
    [Show full text]
  • Optimizing Authenticated Encryption Algorithms
    Masaryk University Faculty of Informatics Optimizing authenticated encryption algorithms Master’s Thesis Ondrej Mosnáček Brno, Fall 2017 Masaryk University Faculty of Informatics Optimizing authenticated encryption algorithms Master’s Thesis Ondrej Mosnáček Brno, Fall 2017 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáček Advisor: Ing. Milan Brož i Acknowledgement I would like to thank my advisor, Milan Brož, for his guidance, pa- tience, and helpful feedback and advice. Also, I would like to thank my girlfriend Ludmila, my family, and my friends for their support and kind words of encouragement. If I had more time, I would have written a shorter letter. — Blaise Pascal iii Abstract In this thesis, we look at authenticated encryption with associated data (AEAD), which is a cryptographic scheme that provides both confidentiality and integrity of messages within a single operation. We look at various existing and proposed AEAD algorithms and compare them both in terms of security and performance. We take a closer look at three selected candidate families of algorithms from the CAESAR competition. Then we discuss common facilities provided by the two most com- mon CPU architectures – x86 and ARM – that can be used to implement cryptographic algorithms efficiently.
    [Show full text]
  • SHA-3 Family of Cryptographic Hash Functions and Extendable-Output Functions
    The SHA-3 Family of Cryptographic Hash Functions and Extendable-Output Functions José Luis Gómez Pardo Departamento de Álxebra, Universidade de Santiago 15782 Santiago de Compostela, Spain e-mail: [email protected] Carlos Gómez-Rodríguez Departamento de Computación, Universidade da Coruña 15071 A Coruña, Spain e-mail: [email protected] Introduction This worksheet contains a Maple implementation of the Secure Hash Algorithm-3 (SHA-3) family of functions wich have been standardized by the US National Institute of Standards and Technology (NIST) in August 2015, as specified in [FIPS PUB 202] (SHA-3 Standard). The SHA-3 family consists of four cryptographic hash functions, called SHA3-224, SHA3-256, SHA3-384, and SHA3 -512, and two extendable-output functions (XOFs), called SHAKE128 and SHAKE256. The XOFs are different from hash functions but, as stated in SHA-3 Standard, "it is possible to use them in similar ways, with the flexibility to be adapted directly to the requirements of individual applications, subject to additional security considerations". The SHA-3 functions are based on the Keccak sponge function, designed by G. Bertoni, J. Daemen, M. Peeters, G. Van Assche. Keccak was selected for this purpose because it was declared, on October 2, 2012, the winner of the NIST Hash Function Competition held by NIST. The worksheet is an updated version of a previous one which had been published in 2013 with the title "The SHA-3 family of hash functions and their use for message authentication". The new version includes the XOFs following the NIST specification and, at the programming level, the most important change is in the padding procedure.
    [Show full text]
  • 1 Previous Lecture 2 Message Authentication Codes (Macs)
    CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: • Constructed a CPA-secure encryption scheme from PRFs. • Introduced cipher modes of operation and found quibbles (malleability attacks) that caused us seek more than just CPA security. • Dened a security hierarchy for encryption schemes: CPA, CCA1, and CCA2. • Wanted to patch our CPA-secure scheme to also be secure against an active attacker: prevent the attacker from monkeying with ciphertext. This last desire takes us on a detour through message authentication codes (MACs). 2 Message authentication codes (MACs) In brief, a message authentication code guarantees both the integrity of a message and the identity of the sender. We are in this scenario: Alice and Bob share a secret key sk. Eve is an active attacker capable not only of eavesdropping, but also of modifying messages. Alice (sk) m; t Bob (sk) Eve The idea is to attach a tag to the message with the property that Eve cannot generate a tag for any message that Alice did not previously send. The tagging scheme needs to satisfy two properties: Completeness Alice can tag any message m to get a tag t that Bob can verify (together with m and the shared secret key). Security Eve cannot forge tags for messages she has not already seen tagged. Informally, a MAC is a pair of algorithms T (for tag) and V (for verify). T outputs a tag given a secret key and a message. V outputs a bit indicating whether a given tag is valid for a secret key and message.
    [Show full text]