DOCSLIB.ORG

Survey of Design and Security Evaluation of Authenticated Encryption Algorithms in the CAESAR Competition∗

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Survey of Design and Security Evaluation of Authenticated Encryption Algorithms in the CAESAR Competition∗ Zhang et al. / Front Inform Technol Electron Eng 2018 19(12):1475-1499 1475 Frontiers of Information Technology & Electronic Engineering www.jzus.zju.edu.cn; engineering.cae.cn; www.springerlink.com ISSN 2095-9184 (print); ISSN 2095-9230 (online) E-mail: [email protected] Review: Survey of design and security evaluation of authenticated encryption algorithms in the CAESAR competition∗ Fan ZHANG†‡1,2,3,4, Zi-yuan LIANG1,2,4, Bo-lin YANG1, Xin-jie ZHAO5, Shi-ze GUO5,KuiREN2,4 1College of Information Science and Electronic Engineering, Zhejiang University, Hangzhou 310027, China 2Institute of Cyberspace Research, Zhejiang University, Hangzhou 310027, China 3State Key Laboratory of Cryptology, Beijing 100878, China 4Alibaba-Zhejiang University Joint Institute of Frontier Technologies, Hangzhou 310027, China 5Institute of North Electronic Equipment, Beijing 100191, China †E-mail: [email protected] Received Sept. 17, 2018; Revision accepted Nov. 20, 2018; Crosschecked Dec. 17, 2018 Abstract: The Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) supported by the National Institute of Standards and Technology (NIST) is an ongoing project calling for submissions of authenticated encryption (AE) schemes. The competition itself aims at enhancing both the design of AE schemes and related analysis. The design goal is to pursue new AE schemes that are more secure than advanced encryption standard with Galois/counter mode (AES-GCM) and can simultaneously achieve three design aspects: security, applicability, and robustness. The competition has a total of three rounds and the last round is approaching the end in 2018. In this survey paper, we first introduce the requirements of the proposed design and the progress of candidate screening in the CAESAR competition. Second, the candidate AE schemes in the final round are classified according to their design structures and encryption modes. Third, comprehensive performance and security evaluations are conducted on these candidates. Finally, the research trends of design and analysis of AE for the future are discussed. Key words: CAESAR competition; Authenticated cipher; Block cipher; Stream cipher; Hash function; Security evaluation https://doi.org/10.1631/FITEE.1800576 CLC number: TP309 1 Introduction encryption (AE). Integrating encryption and mes- sage authentication, AE algorithms have extensive Traditional symmetric encryption algorithms research and application prospects. Sometimes, AE provide confidentiality mainly for messages. Mes- algorithms are also referred to as AE schemes or au- sage authentication algorithms provide integrity sep- thenticated ciphers. arately. Many applications require that algorithms The characteristics of AE algorithms can be provide both message confidentiality and integrity. viewed from different angles. According to the times Therefore, there is an urgent need for authenticated that a message is processed, AE can be divided into two categories. ‡ Corresponding author * Project supported by the National Natural Science Foundation The first category is called “one-pass AE,” in of China (Nos. 61472357 and 61571063), the Open Fund of State which a message needs to be processed only once. Key Laboratory of Cryptology, the Major Scientific Research Project of Zhejiang Lab, and the Alibaba-Zhejiang University In 2000, Jutla from IBM proposed integrity aware Joint Institute of Frontier Technologies cipher block chaining (IACBC) and integrity aware ORCID: Fan ZHANG, http://orcid.org/0000-0001-6087-8243 c Zhejiang University and Springer-Verlag GmbH Germany, part parallelizable mode (IAPM), which are the earliest of Springer Nature 2018 one-pass AE algorithms (Jutla, 2001). Shortly after 1476 Zhang et al. / Front Inform Technol Electron Eng 2018 19(12):1475-1499 that, Gligor and Donescu (2001) proposed new one- during calculations. The purpose of constructing a pass AE algorithms, XCBC and XECB. Rogaway dedicated AE is to improve efficiency, reduce costs, et al. (2001) further improved IAPM. They designed and enhance security. In recent years, design and a new type of one-pass AE, called “OCB,” which can analysis of dedicated AEs has become a research hot overcome the defects of the ECB model. spot in cryptography. The other category is two-pass AE, in which a With the support of the National Institute of message needs to be processed twice. The counter Standards and Technology (NIST), the Competi- with CBC-MAC (CCM) mode (Whiting et al., 2003) tion for Authenticated Encryption: Security, Ap- and the Galois/counter mode (GCM) (McGrew and plicability, and Robustness (CAESAR) competition Viega, 2004) are the two most classical two-pass AE calls for submissions of AE schemes worldwide. Af- algorithms. CCM has been adopted by the IEEE ter the AES competition, the NESSIE project, and 802.11 wireless LAN standard, and has been se- the SHA-3 competition, the CAESAR competition lected as the recommended standard of AE mode is considered as another significant milestone in the for the block cipher Advanced Encryption Standard international cryptography community. The entire (AES) by NIST. GCM has also been adopted by sev- competition cycle started in 2013, and has a total eral standardizations such as NIST, IPSec, SSL, and of three rounds. As its name suggests, the CAE- TLS. SAR competition calls for AE schemes that can sat- According to the design principle, AE algo- isfy integrity, confidentiality, and robustness simul- rithms can be further classified into two mainstream taneously. The comprehensive performance and se- types. curity strength of the candidates should be higher One type involves constructing AE algorithms than those of AES-GCM. Recently, the competition by combining existing authentication and encryp- moved to the final round. There are seven finalists tion algorithms. There are three methods of com- after three rounds of screening. position: encrypt-and-MAC plaintext, MAC-then- For years, the CAESAR competition has drawn encrypt, and encrypt-then-MAC. Bellare and Nam- extensive attention from the global cryptography re- prempre (2008) showed that the encrypt-then-MAC search community. It produces a large number of ex- method is the most secure one, whereas other meth- cellent algorithms, generates new design techniques, ods, such as encrypt-and-MAC and MAC-then- and stimulates the growth of this research area. At encrypt, have some security vulnerabilities. Most the same time, these collected results may directly of existing network communication security pro- promote the standardization and large-scale applica- tocols, such as HTTPS, SSL, and IPSec, adopt tion of AE algorithms. encrypt-then-MAC as one of their design princi- After rigorous analysis by worldwide cryptogra- ples. In their designed constructions, the optional phers, the candidates in the CAESAR competition encryption algorithms they choose could be AES, have good security, real-time efficiency, and high re- 3DES, etc., and the optional authentication algo- search value for AE design and analysis. Our paper rithms could be MAC or others. However, if the focuses mainly on the seven finalists, but also ad- padding process is added between encryption and au- dresses the rest of the candidates in the third round. thentication, that is, when the encryption-padding- We introduce the basic requirements of the CAE- authentication scheme is adopted, adversaries can SAR candidates, and then discuss their designed launch the padding oracle attack (Hwang and Lee, structure, detailed features, and performance eval- 2015), which can decrypt the protocol data without uation. We also collect related works about each authorization. candidate, and introduce their up-to-date research The other type involves constructing AE algo- progress, hoping to provide certain reference to the rithms with a dedicated new design that interleaves community of AE-related research. the authentication and encryption processes to share part or all of their calculations, which eventually re- 2 Background on AE algorithms sults in a complete new AE algorithm. In the con- struction, authentication and encryption steps can An authenticated cipher is composed of two pro- access each other’s inputs and intermediate results cedures, authenticated encryption and verification Zhang et al. / Front Inform Technol Electron Eng 2018 19(12):1475-1499 1477 decryption, which can be depicted by two functions design requirements and classify them into three as- fE and fD, respectively. pects: inputs, security, and comprehensive perfor- 1. AE function fE: The inputs to fE include mance. Because the CAESAR competition has fin- the key K, the plaintext P , the associated data AD, ished all three rounds, we provide a brief introduc- and an arbitrary number N (nonce). AD is an op- tion to the progress of CAESAR, and also list the tional header in plaintext that will not be encrypted, finalists as well as other candidates in three rounds but will be covered by authenticity protection. The of screening. outputs from fE are the ciphertext C and the tag T , which are the message authentication codes (MAC) 3.1 Design requirements of the AE scheme of the AE algorithm. The AE function first encrypts on P with K,AD,andN to generate the corre- Most AE schemes adopt the standard AE con- sponding C, and then produces the authenticated struction mentioned in Section 2. Here are some of tag T with part of the input parameters and C. the specific requirements for CAESAR candidates. 2. Verification decryption function fD:Thein- 1. Inputs. As introduced
Load more

Recommended publications
  • Grade 6 Reading Student At–Home Activity Packet
    Printer Warning: This packet is lengthy. Determine whether you want to print both sections, or only print Section 1 or 2. Grade 6 Reading Student At–Home Activity Packet This At–Home Activity packet includes two parts, Section 1 and Section 2, each with approximately 10 lessons in it. We recommend that your student complete one lesson each day. Most lessons can be completed independently. However, there are some lessons that would benefit from the support of an adult. If there is not an adult available to help, don’t worry! Just skip those lessons. Encourage your student to just do the best they can with this content—the most important thing is that they continue to work on their reading! Flip to see the Grade 6 Reading activities included in this packet! © 2020 Curriculum Associates, LLC. All rights reserved. Section 1 Table of Contents Grade 6 Reading Activities in Section 1 Lesson Resource Instructions Answer Key Page 1 Grade 6 Ready • Read the Guided Practice: Answers will vary. 10–11 Language Handbook, Introduction. Sample answers: Lesson 9 • Complete the 1. Wouldn’t it be fun to learn about Varying Sentence Guided Practice. insect colonies? Patterns • Complete the 2. When I looked at the museum map, Independent I noticed a new insect exhibit. Lesson 9 Varying Sentence Patterns Introduction Good writers use a variety of sentence types. They mix short and long sentences, and they find different ways to start sentences. Here are ways to improve your writing: Practice. Use different sentence types: statements, questions, imperatives, and exclamations. Use different sentence structures: simple, compound, complex, and compound-complex.
    [Show full text]
  • Basic Cryptography
    Basic cryptography • How cryptography works... • Symmetric cryptography... • Public key cryptography... • Online Resources... • Printed Resources... I VP R 1 © Copyright 2002-2007 Haim Levkowitz How cryptography works • Plaintext • Ciphertext • Cryptographic algorithm • Key Decryption Key Algorithm Plaintext Ciphertext Encryption I VP R 2 © Copyright 2002-2007 Haim Levkowitz Simple cryptosystem ... ! ABCDEFGHIJKLMNOPQRSTUVWXYZ ! DEFGHIJKLMNOPQRSTUVWXYZABC • Caesar Cipher • Simple substitution cipher • ROT-13 • rotate by half the alphabet • A => N B => O I VP R 3 © Copyright 2002-2007 Haim Levkowitz Keys cryptosystems … • keys and keyspace ... • secret-key and public-key ... • key management ... • strength of key systems ... I VP R 4 © Copyright 2002-2007 Haim Levkowitz Keys and keyspace … • ROT: key is N • Brute force: 25 values of N • IDEA (international data encryption algorithm) in PGP: 2128 numeric keys • 1 billion keys / sec ==> >10,781,000,000,000,000,000,000 years I VP R 5 © Copyright 2002-2007 Haim Levkowitz Symmetric cryptography • DES • Triple DES, DESX, GDES, RDES • RC2, RC4, RC5 • IDEA Key • Blowfish Plaintext Encryption Ciphertext Decryption Plaintext Sender Recipient I VP R 6 © Copyright 2002-2007 Haim Levkowitz DES • Data Encryption Standard • US NIST (‘70s) • 56-bit key • Good then • Not enough now (cracked June 1997) • Discrete blocks of 64 bits • Often w/ CBC (cipherblock chaining) • Each blocks encr. depends on contents of previous => detect missing block I VP R 7 © Copyright 2002-2007 Haim Levkowitz Triple DES, DESX,
    [Show full text]
  • Vector Boolean Functions: Applications in Symmetric Cryptography
    Vector Boolean Functions: Applications in Symmetric Cryptography José Antonio Álvarez Cubero Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015 I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love. Declaration The following papers have been published or accepted for publication, and contain material based on the content of this thesis. 1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html) 2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published) 3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective.
    [Show full text]
  • Analysis of Selected Block Cipher Modes for Authenticated Encryption
    Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3].
    [Show full text]
  • Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M
    Internet Engineering Task Force (IETF) S. Kanno Request for Comments: 6367 NTT Software Corporation Category: Informational M. Kanda ISSN: 2070-1721 NTT September 2011 Addition of the Camellia Cipher Suites to Transport Layer Security (TLS) Abstract This document specifies forty-two cipher suites for the Transport Security Layer (TLS) protocol to support the Camellia encryption algorithm as a block cipher. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6367. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
    [Show full text]
  • Rotational Cryptanalysis of ARX
    Rotational Cryptanalysis of ARX Dmitry Khovratovich and Ivica Nikoli´c University of Luxembourg [email protected], [email protected] Abstract. In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations. Keywords: ARX, cryptanalysis, rotational cryptanalysis. 1 Introduction A huge number of symmetric primitives using modular additions, bitwise XORs, and intraword rotations have appeared in the last 20 years. The most famous are the hash functions from MD-family (MD4, MD5) and their descendants SHA-x. While modular addition is often approximated with XOR, for random inputs these operations are quite different. Addition provides diffusion and nonlinearity, while XOR does not. Although the diffusion is relatively slow, it is compensated by a low price of addition in both software and hardware, so primitives with relatively high number of additions (tens per byte) are still fast. The intraword rotation removes disbalance between left and right bits (introduced by the ad- dition) and speeds up the diffusion. Many recently design primitives use only XOR, addition, and rotation so they are grouped into a single family ARX (Addition-Rotation-XOR).
    [Show full text]
  • The EAX Mode of Operation
    A preliminary version of this papers appears in Fast Software Encryption ’04, Lecture Notes in Computer Science, vol. ?? , R. Bimal and W. Meier ed., Springer-Verlag, 2004. This is the full version. The EAX Mode of Operation (A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and Efficiency) ∗ † ‡ M. BELLARE P. ROGAWAY D. WAGNER January 18, 2004 Abstract We propose a block-cipher mode of operation, EAX, for solving the problem of authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, our mode protects the privacy of M and the authenticity of both M and H. Strings N, M, and H are arbitrary bit strings, and the mode uses 2|M|/n + |H|/n + |N|/n block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX’s characteristics are that it is on-line (the length of a message isn’t needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by first creating a generic-composition method, EAX2, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. The proof of this fact is novel and involved. EAX is an alternative to CCM [26], which was created to answer the wish within standards bodies for a fully-specified and patent-free AEAD mode. As such, CCM and EAX are two-pass schemes, with one pass for achieving privacy and one for authenticity.
    [Show full text]
  • Nessie Neutrally-Buoyant Elevated System for Satellite Imaging and Evaluation
    NESSIE NEUTRALLY-BUOYANT ELEVATED SYSTEM FOR SATELLITE IMAGING AND EVALUATION 1 Project Overview Space Situational Awareness (SSA) • Determine the orbital characteristics of objects in space Currently there are only two methods Radar • Expensive Telescopes • Cheaper, but can be blocked by cloud cover Both are fully booked and can't collect enough data Over 130,000,000 estimated objects in orbit 2 Introduction Solution Critical Project Elements Risk Analysis Schedule Our Mission: MANTA NESSIE • Full-Scale SSA UAV • Proof of concept vehicle • Operates at 18000ft • Operates at 400ft AGL • Fully realized optical Scale • Payload bay capability 1 : 2.5 payload • Mass 1 lb • Mass 15 lbs • Contained in 4.9” cube • Contained in 12” cube • Requires 5.6 W of Power • Requires 132 W of Power • Provide path to flight at full-scale 3 Introduction Solution Critical Project Elements Risk Analysis Schedule Stay on a 65,600 ft to 164,000 ft distance from takeoff spot Legend: 10 arcseconds object Requirements centroid identification 5. Point optical Dimness ≥ 13 accuracy, 3 sigma precision system, capture Operations flow apparent magnitude image, measure time and position 4. Pointing and stabilization check, 6. Store image autonomous flight and data 7. Start autonomous Loop descent to Ground Station when battery is low. Constantly downlink 3. Manual ascent position and status above clouds, uplink data to ground station 8. Manual landing, Max 18,000 altitude ft from ground station uplink from ground station 1. System 2. Unload/ Assembly/ Prep. Ground Station End of mission 14 transportation hours after first ascent 4 Land 300 ft (100 yards) from takeoff spot Stay within 400 ft of takeoff spot Legend: 4.
    [Show full text]
  • On the Security of IV Dependent Stream Ciphers
    On the Security of IV Dependent Stream Ciphers Côme Berbain and Henri Gilbert France Telecom R&D {[email protected]} research & development Stream Ciphers IV-less IV-dependent key K key K IV (initial value) number ? generator keystream keystream plaintext ⊕ ciphertext plaintext ⊕ ciphertext e.g. RC4, Shrinking Generator e.g. SNOW, Scream, eSTREAM ciphers well founded theory [S81,Y82,BM84] less unanimously agreed theory practical limitations: prior work [RC94, HN01, Z06] - no reuse of K numerous chosen IV attacks - synchronisation - key and IV setup not well understood IV setup – H. Gilbert (2) research & developement Orange Group Outline security requirements on IV-dependent stream ciphers whole cipher key and IV setup key and IV setup constructions satisfying these requirements blockcipher based tree based application example: QUAD incorporate key and IV setup in QUAD's provable security argument IV setup – H. Gilbert (3) research & developement Orange Group Security in IV-less case: PRNG notion m K∈R{0,1} number truly random VS generator g generator g g(K) ∈{0,1}L L OR Z ∈R{0,1} 1 input A 0 or 1 PRNG A tests number distributions: Adv g (A) = PrK [A(g(K)) = 1] − PrZ [A(Z) = 1] PRNG PRNG Advg (t) = maxA,T(A)≤t (Advg (A)) PRNG 80 g is a secure cipher ⇔ g is a PRNG ⇔ Advg (t < 2 ) <<1 IV setup – H. Gilbert (4) research & developement Orange Group Security in IV-dependent case: PRF notion stream cipher perfect random fct. IV∈ {0,1}n function generator VSOR g* gK G = {gK} gK(IV) q oracle queries • A 0 or 1 PRF gK g* A tests function distributions: Adv G (A) = Pr[A = 1] − Pr[A = 1] PRF PRF Adv G (t, q) = max A (Adv G (A)) PRF 80 40 G is a secure cipher ⇔ G is a PRF ⇔ Adv G (t < 2 ,2 ) << 1 IV setup – H.
    [Show full text]
  • 9/11 Report”), July 2, 2004, Pp
    Final FM.1pp 7/17/04 5:25 PM Page i THE 9/11 COMMISSION REPORT Final FM.1pp 7/17/04 5:25 PM Page v CONTENTS List of Illustrations and Tables ix Member List xi Staff List xiii–xiv Preface xv 1. “WE HAVE SOME PLANES” 1 1.1 Inside the Four Flights 1 1.2 Improvising a Homeland Defense 14 1.3 National Crisis Management 35 2. THE FOUNDATION OF THE NEW TERRORISM 47 2.1 A Declaration of War 47 2.2 Bin Ladin’s Appeal in the Islamic World 48 2.3 The Rise of Bin Ladin and al Qaeda (1988–1992) 55 2.4 Building an Organization, Declaring War on the United States (1992–1996) 59 2.5 Al Qaeda’s Renewal in Afghanistan (1996–1998) 63 3. COUNTERTERRORISM EVOLVES 71 3.1 From the Old Terrorism to the New: The First World Trade Center Bombing 71 3.2 Adaptation—and Nonadaptation— ...in the Law Enforcement Community 73 3.3 . and in the Federal Aviation Administration 82 3.4 . and in the Intelligence Community 86 v Final FM.1pp 7/17/04 5:25 PM Page vi 3.5 . and in the State Department and the Defense Department 93 3.6 . and in the White House 98 3.7 . and in the Congress 102 4. RESPONSES TO AL QAEDA’S INITIAL ASSAULTS 108 4.1 Before the Bombings in Kenya and Tanzania 108 4.2 Crisis:August 1998 115 4.3 Diplomacy 121 4.4 Covert Action 126 4.5 Searching for Fresh Options 134 5.
    [Show full text]
  • Patent-Free Authenticated-Encryption As Fast As OCB
    Patent-Free Authenticated-Encryption As Fast As OCB Ted Krovetz Computer Science Department California State University Sacramento, California, 95819 USA [email protected] Abstract—This paper presents an efficient authenticated encryp- VHASH hash family [4]. The resulting authenticated encryp- tion construction based on a universal hash function and block tion scheme peaks at 12.8 cpb, while OCB peaks at 13.9 cpb in cipher. Encryption is achieved via counter-mode while authenti- our experiments. The paper closes with a performance com- cation uses the Wegman-Carter paradigm. A single block-cipher parison of several well-known authenticated encryption algo- key is used for both operations. The construction is instantiated rithms [6]. using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten per- cent slower than encryption alone. II. SECURITY DEFINITIONS We adopt the notions of security from [7], and summarize Keywords- Authenticated encryption, block-cipher mode-of- them less formally here. An authenticated encryption with as- operation, AEAD, UMAC, VMAC. sociated data (AEAD) scheme is a triple S = (K,E,D), where K is a set of keys, and E and D are encryption and decryption I. INTRODUCTION functions. Encryption occurs by computing E(k,n,h,p,f), which Traditionally when one wanted to both encrypt and authen- returns (c,t), for key k, nonce n, header h, plaintext m and ticate communications, one would encrypt the message under footer f. Ciphertext c is the encryption of p, and tag t authenti- one key and authenticate the resulting ciphertext under a sepa- cates h, c and f.
    [Show full text]
  • Ascon (A Submission to CAESAR)
    Ascon (A Submission to CAESAR) Ch. Dobraunig1, M. Eichlseder1, F. Mendel1, M. Schl¨affer2 1IAIK, Graz University of Technology, Austria 2Infineon Technologies AG, Austria 22nd Crypto Day, Infineon, Munich Overview CAESAR Design of Ascon Security analysis Implementations 1 / 20 CAESAR CAESAR: Competition for Authenticated Encryption { Security, Applicability, and Robustness (2014{2018) http://competitions.cr.yp.to/caesar.html Inspired by AES, eStream, SHA-3 Authenticated Encryption Confidentiality as provided by block cipher modes Authenticity, Integrity as provided by MACs \it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes" { Kohno, Whiting, and Viega 2 / 20 CAESAR CAESAR: Competition for Authenticated Encryption { Security, Applicability, and Robustness (2014{2018) http://competitions.cr.yp.to/caesar.html Inspired by AES, eStream, SHA-3 Authenticated Encryption Confidentiality as provided by block cipher modes Authenticity, Integrity as provided by MACs \it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes" { Kohno, Whiting, and Viega 2 / 20 Generic compositions MAC-then-Encrypt (MtE) e.g. in SSL/TLS MAC M security depends on E and MAC E ∗ C T k Encrypt-and-MAC (E&M) ∗ e.g. in SSH E C M security depends on E and MAC MAC T Encrypt-then-MAC (EtM) ∗ IPSec, ISO/IEC 19772:2009 M E C provably secure MAC T 3 / 20 Tags for M = IV (N 1), M = IV (N 2), . ⊕ k ⊕ k are the key stream to read M1, M2,... (Keys for) E ∗ and MAC must be independent! Pitfalls: Dependent Keys (Confidentiality) Encrypt-and-MAC with CBC-MAC and CTR CTR CBC-MAC Nk1 Nk2 Nk` M1 M2 M` IV ··· EK EK ··· EK EK EK EK M1 M2 M` C1 C2 C` T What can an attacker do? 4 / 20 Pitfalls: Dependent Keys (Confidentiality) Encrypt-and-MAC with CBC-MAC and CTR CTR CBC-MAC Nk1 Nk2 Nk` M1 M2 M` IV ··· EK EK ··· EK EK EK EK M1 M2 M` C1 C2 C` T What can an attacker do? Tags for M = IV (N 1), M = IV (N 2), .
    [Show full text]