DOCSLIB.ORG

Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Kölbl June 20th, 2017 DTU Compute, Technical University of Denmark Introduction to Symmetric Key Cryptography Symmetric Key Cryptography What can we do? • Encryption • Authentication (MAC) • Hashing • Random Number Generation • Digital Signature Schemes • Key Exchange 1 Authentication Authentication Message Authentication Code (MAC) Key Message MAC Tag • Produces a tag • Provide both authenticity and integrity • It should be hard to forge a valid tag. • Similar to hash but has a key • Similar to digital signature but same key 2 Authentication MAC Algorithm • Block Cipher Based (CBC-MAC) • Hash-based (HMAC, Sponge) • Universal Hashing (UMAC, Poly1305) 3 Authentication CBC-MAC M1 M2 Mi 0 EK EK EK T 4 Authentication Hash-based: • H(k jj m) • Okay with Sponge, fails with MD construction. • H(m jj k) • Collision on H allows to construct Tag collision. • HMAC: H(k ⊕ c1kj H(k ⊕ c2jjm)) 5 Authentication Universal Hashing (UMAC, Poly1305, …) • We need a universal hash function family H. • Parties share a secret member of H and key k. • Attacker does not know which one was chosen. Definition A set H of hash functions h : U ! N is universal iff 8x; y 2 U: 1 Pr (h(x) = h(y)) ≤ h2H jNj when h is chosen uniformly at random. 6 Authenticated Encryption In practice we always want Authenticated Encryption • Encryption does not protect against malicious alterations. • WEP [TWP07] • Plaintext recovery OpenSSH [APW09] • Recover TLS cookies [DR11] Problem Lot of things can go wrong when combining encryption and authentication. Note: This can allow to recover plaintext, forge messages... 7 Authenticated Encryption [BN00] Encrypt-and-MAC Message EK MACK0 Ciphertext Tag 8 Authenticated Encryption [BN00] MAC-then-Encrypt Message MACK0 Message Tag EK Ciphertext 9 Authenticated Encryption [BN00] Encrypt-then-MAC Message EK Ciphertext MACK0 Ciphertext Tag 10 Authenticated Encryption You have to be careful! CTR-Mode CBC-MAC N jj 1 N jj 2 N jj 3 M1 M2 Mi 0 E E E EK EK EK K K K M1 M2 M3 T C1 C2 C3 11 Authenticated Encryption Authenticated Encryption with Associated Data (AEAD) A1;:::; Am T M1;:::; Ml AE N C1;:::; Cm • Associcated Data A (e.g. packet header) • Nonce N (unique number) 12 Authenticated Encryption Galois/Counter Mode (GCM) 0 Njj1 Njj2 Njjl Njj0 EK EK EK … EK EK M1 M2 Ml jj A1;:::; Am C1 C2 Cl m l H T ×H ×H ×H ×H ×H 13 0 Njj0 EK EK A1;:::; Am m jj l H T ×H ×H ×H ×H ×H Authenticated Encryption Galois/Counter Mode (GCM) Njj1 Njj2 Njjl EK EK … EK M1 M2 Ml C1 C2 Cl 13 Authenticated Encryption Galois/Counter Mode (GCM) 0 Njj1 Njj2 Njjl Njj0 EK EK EK … EK EK M1 M2 Ml jj A1;:::; Am C1 C2 Cl m l H T ×H ×H ×H ×H ×H 13 Authenticated Encryption AES-GCM • Widely used (TLS) • Reusing nonce compromises security • Weak keys for ×H • Hardware support for AES + PCLMULQDQ • AES-GCM-SIV? 14 Authenticated Encryption CAESAR1: Competition for Authenticated Encryption: Security, Applicability, and Robustness • Initially 57 submissions. • Third round: 15 Submissions left • Goal is to have a portfolio of AE schemes Summary Most applications need Authenticated Encryption! 1 https://competitions.cr.yp.to/caesar.html 15 Quantum Attacks Quantum Attacks Attack Model • Attacker listens to communication over classical channel. • Can query a classic blackbox with the secret key. • Attacker has large quantum computer. • Only limited set of quantum algorithms available. 16 Quantum Attacks Encryption / MACs • Recover Key in O(2k=2) with Grover’s. Hash Function • Find Preimage in O(2n=2) with Grover’s. • Find Collisions in O(2n=3) [BHT97] ... but needs O(2n=3) hardware. 17 Quantum Attacks The costs are not so simple • Costs of quantum operation vs. classic operations • Collision finding not really faster [Ber09]. There is some work on better understanding this: • Preimage SHA-256: 2166 logical-qubit-cycles [Amy+16]. • Preimage SHA3-256: 2166 logical-qubit-cycles [Amy+16]. 18 Quantum Attacks Even-Mansour • Two keys k1; k2. • Uses public permutation π. k1 k2 p π c Classic Security • D queries to E • T queries to π • Proof for upper bound on attack success O(DT=2n) 19 Quantum Attacks Quantum Oracle Access to encryption algorithm jxi jxi EK j0i jEK(x)i • Very strong model for adversary. 20 Quantum Attacks Simon’s Algorithm Given f : f0; 1gn ! f0; 1gn with promise that there exists s 2 f0; 1gn such that 8(x; y) 2 f0; 1gn : f(x) = f(y) () x ⊕ y 2 f0n; sg Output: s Only needs O(n) quantum queries. 21 Result One steps finds a vector such that y · s = 0. Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) j0nij0ni 22 Result One steps finds a vector such that y · s = 0. Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) X 1 p jxij0ni n 2 x 22 Result One steps finds a vector such that y · s = 0. Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) X 1 p jxijf(x)i n 2 x 22 Result One steps finds a vector such that y · s = 0. Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) 1 1 p jzi + p jz ⊕ si 2 2 22 Result One steps finds a vector such that y · s = 0. Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) X 1 1 · · p p (−1)y z(1 + (−1)y s)jyi n 2 2 y 22 Simon’s Algorithm Circuit j0i H⊗n H⊗n v f j0i f(z) X 1 1 · · p p (−1)y z(1 + (−1)y s)jyi n 2 2 y Result One steps finds a vector such that y · s = 0. 22 Recover k1 with O(n) quantum queries. Quantum Breaking Even-Mansour [KM12] E ⊕ ⊕ k1;k2 (x) = π(x k1) k2 Construct: f : f0; 1gn ! f0; 1gn !E ⊕ ⊕ ⊕ ⊕ x k1;k2 (x) π(x) = π(x k1) k2 π(x) This function fulfills Simon’s promise: f(x) = π(x ⊕ k1) ⊕ k2 ⊕ π(x) f(x ⊕ k1) = π(x ⊕ k1 ⊕ k1) ⊕ k2 ⊕ π(x ⊕ k1) 23 Recover k1 with O(n) quantum queries. Quantum Breaking Even-Mansour [KM12] E ⊕ ⊕ k1;k2 (x) = π(x k1) k2 Construct: f : f0; 1gn ! f0; 1gn !E ⊕ ⊕ ⊕ ⊕ x k1;k2 (x) π(x) = π(x k1) k2 π(x) This function fulfills Simon’s promise: f(x) = π(x ⊕ k1) ⊕ k2 ⊕ π(x) f(x ⊕ k1) = π(x) ⊕ k2 ⊕ π(x ⊕ k1) 23 Quantum Breaking Even-Mansour [KM12] E ⊕ ⊕ k1;k2 (x) = π(x k1) k2 Construct: f : f0; 1gn ! f0; 1gn !E ⊕ ⊕ ⊕ ⊕ x k1;k2 (x) π(x) = π(x k1) k2 π(x) This function fulfills Simon’s promise: f(x) = π(x ⊕ k1) ⊕ k2 ⊕ π(x) f(x ⊕ k1) = π(x ⊕ k1) ⊕ k2 ⊕ π(x) Recover k1 with O(n) quantum queries. 23 Goal Construct f such that f(x) = f(x ⊕ s) for some secret s. Quantum Attacks Similar attacks [Kap+16] apply to • Block Cipher Modes • MACs • Authenticated Encryption • Improving Slide Attacks 24 Quantum Attacks Similar attacks [Kap+16] apply to • Block Cipher Modes • MACs • Authenticated Encryption • Improving Slide Attacks Goal Construct f such that f(x) = f(x ⊕ s) for some secret s. 24 Current Directions in Symmetric Key Cryptography Symmetric Key Cryptography Lightweight Cryptography • Resource constraint Server • Chip area Laptop / Desktop • Memory Smartphones Standard • Computing Power Smart devices • Power/Energy Microcontrollers 5 • NIST Project FPGA Computing Power Lightweight • Many designs exists ASIC RFID / Sensor Networks 1 https://beta.csrc.nist.gov/projects/lightweight-cryptography 25 Symmetric Key Cryptography Hash-based Signatures: • Many calls to a hash function... • ...but only very short inputs. • No collision resistance required Current Designs: • Often slow on short inputs. • Too conservative for this restricted setting? f f f • Designs: ChaCha in SPHINCS, Haraka [Köl+] 26 Symmetric Key Cryptography Multiparty Computation, Zero Knowledge, Fully Homomorphic Encryption • Multiplications in primitives very costly for these applications. • Signature size directly relates to number of ANDs (for ZK). Symmetric Key Primitives which: • Minimize number of ANDs • Minimize circuit depth • Examples: LowMC [Alb+15], MiMC [Alb+16], Kreyvium [Can+16], Flip [Méa+16] 27 Conclusion Symmetric Key Cryptography • Encryption: AES-CTR • Hash: SHA-2, SHA-3 • Authenticated Encryption: AES-GCM, ChaCha20-Poly1305, CAESAR Quantum Attacks • Mostly fine with double the parameter sizes. • Improve cryptanalytic attacks with quantum algorithms. 1 Thanks to https://www.iacr.org/authors/tikz/ for some of the figures. 28 Questions? 28 References i Martin R. Albrecht, Kenneth G. Paterson, and Gaven J. Watson. “Plaintext Recovery Attacks against SSH”. In: 30th IEEE Symposium on Security and Privacy (S&P 2009). 2009, pp. 16–26. Martin R. Albrecht et al. “Ciphers for MPC and FHE”. In: Advances in Cryptology - EUROCRYPT 2015. 2015, pp. 430–454. Martin R. Albrecht et al. “MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity”. In: Advances in Cryptology - ASIACRYPT 2016. 2016, pp. 191–219. Matthew Amy et al. Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3. Cryptology ePrint Archive, Report 2016/992. http://eprint.iacr.org/2016/992. 2016. Gilles Brassard, Peter Høyer, and Alain Tapp. “Quantum cryptanalysis of hash and claw-free functions”. In: SIGACT News 28.2 (1997), pp. 14–19. 29 References ii Mihir Bellare and Chanathip Namprempre. “Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm”. In: Advances in Cryptology - ASIACRYPT 2000.
Load more

Recommended publications
  • The Software Performance of Authenticated-Encryption Modes 1
    An earlier version of this paper appears at Fast Software Encryption 2011 (FSE 2011). The Software Performance of Authenticated-Encryption Modes Ted Krovetz∗ Phillip Rogawayy March 21, 2011 Abstract We study the software performance of authenticated-encryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (\Clarkdale") processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about 1.3 cpb. Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counter-based nonce) and reduce latency. Our findings contrast with those of McGrew and Viega (2004), who claimed similar performance for GCM and OCB. Key words: authenticated encryption, cryptographic standards, encryption speed, modes of operation, CCM, GCM, OCB. 1 Introduction Background. Over the past few years, considerable effort has been spent constructing schemes for authenticated encryption (AE). One reason is recognition of the fact that a scheme that delivers both privacy and authenticity may be more efficient than the straightforward amalgamation of separate privacy and authenticity techniques. A second reason is the realization that an AE scheme is less likely to be incorrectly used than an encryption scheme designed for privacy alone. While other possibilities exist, it is natural to build AE schemes from blockciphers, employing some mode of operation. There are two approaches. In a composed (\two-pass") AE scheme one conjoins essentially separate privacy and authenticity modes.
    [Show full text]
  • Patent-Free Authenticated-Encryption As Fast As OCB
    Patent-Free Authenticated-Encryption As Fast As OCB Ted Krovetz Computer Science Department California State University Sacramento, California, 95819 USA [email protected] Abstract—This paper presents an efficient authenticated encryp- VHASH hash family [4]. The resulting authenticated encryp- tion construction based on a universal hash function and block tion scheme peaks at 12.8 cpb, while OCB peaks at 13.9 cpb in cipher. Encryption is achieved via counter-mode while authenti- our experiments. The paper closes with a performance com- cation uses the Wegman-Carter paradigm. A single block-cipher parison of several well-known authenticated encryption algo- key is used for both operations. The construction is instantiated rithms [6]. using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten per- cent slower than encryption alone. II. SECURITY DEFINITIONS We adopt the notions of security from [7], and summarize Keywords- Authenticated encryption, block-cipher mode-of- them less formally here. An authenticated encryption with as- operation, AEAD, UMAC, VMAC. sociated data (AEAD) scheme is a triple S = (K,E,D), where K is a set of keys, and E and D are encryption and decryption I. INTRODUCTION functions. Encryption occurs by computing E(k,n,h,p,f), which Traditionally when one wanted to both encrypt and authen- returns (c,t), for key k, nonce n, header h, plaintext m and ticate communications, one would encrypt the message under footer f. Ciphertext c is the encryption of p, and tag t authenti- one key and authenticate the resulting ciphertext under a sepa- cates h, c and f.
    [Show full text]
  • Reducing the Impact of Dos Attacks on Endpoint IP Security
    Reducing the Impact of DoS Attacks on Endpoint IP Security Joseph D. Touch and Yi-Hua Edward Yang USC/ISI [email protected] / [email protected] 1 Abstract some attack traffic. These results also indicate that this technique becomes more effective as the algorithm IP security is designed to protect hosts from attack, becomes more computationally intensive, and suggest but can itself provide a way to overwhelm the that such hierarchical intra-packet defenses are needed resources of a host. One such denial of service (DoS) to avoid IPsec being itself an opportunity for attack. attack involves sending incorrectly signed packets to a host, which then consumes substantial CPU resources 2. Background to reject unwanted traffic. This paper quantifies the impact of such attacks and explores preliminary ways Performance has been a significant issue for to reduce that impact. Measurements of the impact of Internet security since its inception and affects the DoS attack traffic on PC hosts indicate that a single IPsec suite both at the IKE (session establishment) and attacker can reduce throughput by 50%. This impact IPsec (packets in a session) level [10][11]. This paper can be reduced to 20% by layering low-effort nonce focuses on the IPsec level, i.e., protection for validation on IPsec’s CPU-intensive cryptographic established sessions. Previous performance analysis of algorithms, but the choice of algorithm does not have HMAC-MD5 (Hashed-MAC, where MAC means as large an effect. This work suggests that effective keyed Message Authentication Code), HMAC-SHA1, DoS resistance requires a hierarchical defense using and 3DES showed that the cost of the cryptographic both nonces and strong cryptography at the endpoints, algorithms dwarfs other IPsec overheads [6] [7] [15].
    [Show full text]
  • Implementation of Hash Function for Cryptography (Rsa Security)
    International Journal For Technological Research In Engineering Volume 4, Issue 6, February-2017 ISSN (Online): 2347 - 4718 IMPLEMENTATION OF HASH FUNCTION FOR CRYPTOGRAPHY (RSA SECURITY) Syed Fateh Reza1, Mr. Prasun Das2 1M.Tech. (ECE), 2Assistant Professor (ECE), Bitm,Bolpur ABSTRACT: In this thesis, a new method for expected to have a unique hash code and it should be implementing cryptographic hash functions is proposed. generally difficult for an attacker to find two messages with This method seeks to improve the speed of the hash the same hash code. function particularly when a large set of messages with Mathematically, a hash function (H) is defined as follows: similar blocks such as documents with common Headers H: {0, 1}* → {0, 1}n are to be hashed. The method utilizes the peculiar run-time In this notation, {0, 1}* refers to the set of binary elements configurability Feature of FPGA. Essentially, when a block of any length including the empty string while {0, 1}n refers of message that is commonly hashed is identified, the hash to the set of binary elements of length n. Thus, the hash value is stored in memory so that in subsequent occurrences function maps a set of binary elements of arbitrary length to of The message block, the hash value does not need to be a set of binary elements of fixed length. Similarly, the recomputed; rather it is Simply retrieved from memory, thus properties of a hash function are defined as follows: giving a significant increase in speed. The System is self- x {0, 1}*; y {0,1}n learning and able to dynamically build on its knowledge of Pre-image resistance: given y= H(x), it should be difficult to frequently Occurring message blocks without intervention find x.
    [Show full text]
  • Authenticated Ciphers D. J. Bernstein University of Illinois at Chicago
    Authenticated ciphers D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Advertisement: SHARCS 2012 (Special-Purpose Hardware for Attacking Cryptographic Systems) is right before FSE+SHA-3. 2012.01.23 deadline to submit extended abstracts. 2012.sharcs.org Multiple-year SHA-3 competition has produced a natural focus for security analysis and performance analysis. Community shares an interest in selecting best hash as SHA-3. Intensive analysis of candidates: hash conferences, hash workshops, active SHA-3 mailing list, etc. Would have been harder to absorb same work spread over more conferences, more time. Focus improves community's understanding and confidence. This is a familiar pattern. June 1998: AES block-cipher submissions from 50 people ) community focus. April 2005: eSTREAM stream- cipher submissions from 100 people ) community focus. October 2008: SHA-3 hash- function submissions from 200 people ) community focus. This is a familiar pattern. June 1998: AES block-cipher submissions from 50 people ) community focus. April 2005: eSTREAM stream- cipher submissions from 100 people ) community focus. October 2008: SHA-3 hash- function submissions from 200 people ) community focus. NESSIE was much less focused and ended up in more trouble: e.g., only two MAC submissions. The next community focus What's next after block ciphers, stream ciphers, hash functions? Proposal: authenticated ciphers. Basic security goal: two users start with a shared secret key; then want to protect messages against espionage and forgery. The usual competition: maximize security subject to performance constraints; i.e.: maximize performance subject to security constraints. \Isn't authenticated encryption done already?" \Isn't authenticated encryption done already?" FSE 2011 Krovetz{Rogaway cite EtM, RPC, IAPM, XCBC, OCB1, TAE, CCM, CWC, GCM, EAX, OCB2, CCFB, CHM, SIV, CIP, HBS, BTM; and propose OCB3.
    [Show full text]
  • Message Franking Via Committing Authenticated Encryption∗
    Message Franking via Committing Authenticated Encryption∗ Paul Grubbs1, Jiahui Lu2, and Thomas Ristenpart1 1 Cornell Tech 2 Shanghai Jiao Tong University Abstract We initiate the study of message franking, recently introduced in Facebook's end-to-end encrypted message system. It targets verifiable reporting of abusive messages to Facebook without compromising security guarantees. We capture the goals of message franking via a new cryptographic primitive: compactly committing authenticated encryption with associated data (AEAD). This is an AEAD scheme for which a small part of the ciphertext can be used as a cryptographic commitment to the message contents. Decryption provides, in addition to the message, a value that can be used to open the commitment. Security for franking mandates more than that required of traditional notions associated with commitment. Nevertheless, and despite the fact that AEAD schemes are in general not committing (compactly or otherwise), we prove that many in-use AEAD schemes can be used for message franking by using secret keys as openings. An implication of our results is the first proofs that several in-use symmetric en- cryption schemes are committing in the traditional sense. We also propose and analyze schemes that retain security even after openings are revealed to an adversary. One is a generalization of the scheme implicitly underlying Facebook's message franking protocol, and another is a new construction that offers improved performance. Keywords: authenticated encryption, encrypted messaging 1 Introduction Encrypted messaging systems are now used by more than a billion people, due to the introduction of popular, industry-promoted products including WhatsApp [65], Signal [66], and Facebook Mes- senger [31].
    [Show full text]
  • Modes of Operations for Encryption and Authentication Using Stream Ciphers Supporting an Initialisation Vector
    Modes of Operations for Encryption and Authentication Using Stream Ciphers Supporting an Initialisation Vector Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. email: [email protected] Abstract. We describe a systematic framework for using a stream cipher supporting an initialisation vector (IV) to perform various tasks of authentication and authenticated encryption. These include message authentication code (MAC), authenticated encryption (AE), authenticated encryption with associated data (AEAD) and deterministic authenticated encryption (DAE) with associated data. Sev- eral schemes are presented and rigourously analysed. A major component of the constructions is a keyed hash function having provably low collision and differential probabilities. Methods are described to efficiently extend such hash functions to take multiple inputs. In particular, double-input hash func- tions are required for the construction of AEAD schemes. An important practical aspect of our work is that a designer can combine off-the-shelf stream ciphers with off-the-shelf hash functions to obtain secure primitives for MAC, AE, AEAD and DAE(AD). Keywords: stream cipher with IV, universal hash function, authentication, authenticated encryption with associated data, deterministic authenticated encryption, modes of oper- ations. 1 Introduction Stream ciphers are one of the basic primitives for performing cryptographic operations. In the conventional view, a stream cipher is considered to be a pseudo-random generator. It takes as input a short secret random seed (called the secret key) and produces as output a long random looking keystream. Encryption is performed by bitwise XORing the keystream to the message. Decryption is performed by regenerating the keystream (from the shared secret seed) and XORing it to the ciphertext.
    [Show full text]
  • SECURE ALGORITHMS Minding Your MAC Algorithms?
    SECURE ALGORITHMS Abstract In spite of the advantages of digital signa- tures, MAC algorithms are still widely used to authenticate data; common uses include authorization of financial transactions, mo- bile communications (GSM and 3GPP), and authentication of Internet communications with SSL/TLS and IPsec. While some MAC algorithms are part of ‘legacy’ implementa- tions, the success of MAC algorithms is mainly due to their much lower computa- tional and storage costs (compared to digital signatures). This article describes a list of common pitfalls that the authors have en- countered when evaluating MAC algorithms deployed in commercial applications and pro- vides some recommendations for practitio- ners. Minding Your Introduction MAC Algorithms? MAC algorithms compute a short string as a complex function of a message and a secret key. In a communications setting, the sender will ap- Helena Handschuh pend the MAC value to the message (see also Gemplus, France Figure 1). The recipient shares a secret key with the sender. On receipt of the message, he recom- putes the MAC value using the shared key and Bart Preneel verifies that it is the same as the MAC value sent K.U.Leuven, Belgium along with the message. If the MAC value is cor- rect, he can be convinced that the message origi- nated from the particular sender and that it has not been tampered with during the transmis- sion. Indeed, if an opponent modifies the mes- sage, the MAC value will no longer be correct. Moreover, the opponent does not know the se- cret key, so he is not able to predict how the MAC value should be modified.
    [Show full text]
  • FIPS 140-2 Non-Proprietary Security Policy
    SUSE Linux Enterprise Server 12 - OpenSSH Server Module v1.0 and v2.0 FIPS 140-2 Non-Proprietary Security Policy Version 2.0 Last Update: 2017-12-21 Prepared by: atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 www.atsec.com © 2017 SUSE Linux Products GmbH / atsec information security. This document can be reproduced and distributed only whole and intact, including this copyright notice. SUSE Linux Enterprise Server 12 - OpenSSH Server Module v1.0 and v2.0 FIPS 140-2 Non-Proprietary Security Policy Contents 1. Cryptographic Module Specification ..................................................................................................................... 3 1.1. Description of Module ................................................................................................................................... 3 1.2. Description of Approved Mode ..................................................................................................................... 4 1.3. Cryptographic Module Boundary .................................................................................................................. 5 1.3.1. Hardware Block Diagram ..................................................................................................................... 6 1.3.2. Software Block Diagram ....................................................................................................................... 7 1.4. SUSE Linux Cryptographic Modules and FIPS 140-2 Validation ................................................................
    [Show full text]
  • Development of Authentication Codes of Messages on the Basis of Umac with Crypto-Code Mceliece’S Scheme
    INTERNATIONAL JOURNAL OF 3D PRINTING TECHNOLOGIES AND DIGITAL INDUSTRY 3:2 (2019) 153-170 Araştırma Makalesi/Research Articles DEVELOPMENT OF AUTHENTICATION CODES OF MESSAGES ON THE BASIS OF UMAC WITH CRYPTO-CODE MCELIECE’S SCHEME Serhii Yevseieva, Olha Korolb, Alla Havrylovaa* aSimon Kuznets Kharkiv National University of Economics, Department of Cyber Security and Information Technology, UKRAINE bNational University of Ostroh Academy, UKRAINE *Corresponding Author: [email protected] (Received: 22.04.2019; Revised: 02.07.2019; Accepted: 15.07.2019) ABSTRACT The development of decentralized systems and blockchain technology have expanded the range of cryptocurrency-based banking services. The main difference from the hierarchical structures of the organizations of the banking sector (national and commercial banks) is the formation of valid nodes ensuring the confirmation of transactions based on the checking and verification of digital signatures and MAC codes. The Bitcoin protocols use the SHA-256 algorithm to form MAC codes, however, the rapid growth of the system leads to significant time costs not only for mining, but also for validation of the formed blocks. The further development of decentralized systems, increase the number of wall- distributors and full nodes forces us to look for new ways to solve a temporary problem based on using different approaches to providing authentication in decentralized systems. The paper discusses the algorithm for generating UMAC message authentication codes using a McEliece’s crypto-code scheme based on the use of universal hashing functions. A reduced UMAC model (mini-UMAC) and a method for statistical analysis of the collision characteristics of the generated message authentication codes are proposed.
    [Show full text]
  • Crypto 101 Lvh
    Crypto 101 lvh 1 2 Copyright 2013-2017, Laurens Van Houtven (lvh) This work is available under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license. You can find the full text of the license at https://creativecommons.org/licenses/by-nc/4.0/. The following is a human-readable summary of (and not a substitute for) the license. You can: • Share: copy and redistribute the material in any medium or format • Adapt: remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms: • Attribution: you must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. • NonCommercial: you may not use the material for commercial purposes. • No additional restrictions: you may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation. 3 No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material. Pomidorkowi 4 Contents Contents 5 I Foreword 10 1 About this book 11 2 Advanced sections 13 3 Development 14 4 Acknowledgments 15 II Building blocks 17 5 Exclusive or 18 5.1 Description .....................
    [Show full text]
  • RIV for Robust Authenticated Encryption
    RIV for Robust Authenticated Encryption Farzaneh Abed1, Christian Forler2, Eik List1, Stefan Lucks1, and Jakob Wenzel1 1 Bauhaus-Universität Weimar, 2 Hochschule Schmalkalden 1 <firstname>.<lastname>@uni-weimar.de, 2 [email protected] Abstract. Typical AE schemes are supposed to be secure when used as specified. However, they can – and often do – fail miserably when used improperly. As a partial remedy, Rogaway and Shrimpton proposed (nonce-)misuse-resistant AE (MRAE) and the first MRAE scheme SIV (“Synthetic Initialization Vector”). This paper proposes RIV (“Robust Initialization Vector”), which extends the generic SIV construction by an additional call to the internal PRF. RIV inherits the full security assurance from SIV, but unlike SIV and other MRAE schemes, RIV is also provably secure when releasing unverified plaintexts. This follows a recent line of research on “Robust Authenticated Encryption”, similar to the CAESAR candidate AEZ. An AES-based instantiation of RIV runs at less than 1.5 cpb on current x64 processors. Unlike the proposed instantiation of AEZ, which gains speed by relying on reduced-round AES, our instantiation of RIV is provably secure under the single assumption of the AES being secure. Keywords: robustness, subtle authenticated encryption, provable security 1 Introduction Authenticated Encryption. A secure authenticated encryption (AE) scheme generates ciphertexts that can not be efficiently distinguished from random bit- strings of the same length as the ciphertext and are infeasible to forge. Typical AE schemes are nonce-based [45], i.e., the user is responsible to supply an addi- tional input that must be unique for every encryption. If a nonce ever repeats, the scheme’s security may fully forfeit.
    [Show full text]