DOCSLIB.ORG

Authenticated Encryption

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Authenticated Encryption The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC — Directions in Authenticated Ciphers 05 July 2012 Stockholm, Sweden 1/52 1. Introduction Today - The recognition of AE as a useful “thing” - Modes that don’t work 2. Definitions and constructions - Defining AE Historically - Generic composition ordered - RPC, XCBC$, IAPM, OCB - Defining nonce-based AEAD - CCM - GCM - OCB, again - Defining MRAE - SIV 3. Discussion - Taxonomy - Patents - Suggestions - Sample research questions 2/52 Authenticated Encryption (AE) Promises two benefits 1. An easier-to-correctly-use abstraction boundary 2. More efficient realizations Begins with two realizations regarding symmetric encryption 1. “Integrity” /“authenticity” is routinely needed 2. “Standard” privacy mechanisms don’t provide it 1. Introduction 3/52 Check / insert redundancy No authenticity for any S = f (P) CBC 1. Introduction 4/52 Add more arrows PCBC See: Yu, Hartman, Raeburn 2004 “The Perils of Unauthenticated Encryption: Kerberos Version 4” 5/52 Still more arrows/operations iaPCBC [Gligor, Donescu 1999] Promptly broken by Jutla (1999) and by Ferguson, Whiting, Kelsey, Wagner (1999) 1. Introduction 6/52 Emerging understanding that: - Beyond IND-CPA privacy was often desirable ~2000 - Didn’t come with standard encryption methods - Simple ways to try to get it cheaply don’t work Similar realizations in the public-key world … - [Bleichenbacher 1998] – “A chosen ciphertext attack against protocols based on the RSA encryption standard PKCS #1” - Reaction was that IND-CPA security was not enough - CCA1 security (Naor-Yung 1990) - CCA2 security (Rackoff-Simon 1991) - Non-malleability (Dolev-Dwork-Naor 1991) 1. Introduction 7/52 AE Def ined [Bellare, Rogaway 2000] – “Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography” [Katz, Yung 2000] – “Unforgeable encryption and chosen ciphertext secure modes of operation” coins M Enc C C Dec M or ^ K K • Conventional privacy [BDJR97]: Indistinguishability / semantic security. • Authenticity: The only ciphertexts C that will decrypt to something valid are those previously obtained by an Enc(·) call. 2. Definitions and constructions 8/52 [BDJR97] AE Def ined M || EncK () EncK (0 ) C C A priv || EncK () EncK (0 ) Adv ( A) = Pr[A 1] - Pr[A 1] P 2. Definitions and constructions 9/52 [BR00,KY00;BN00] AE Def ined M EncK () C A C* priv || EncK () EncK (0 ) Adv ( A) = Pr[A 1] - Pr[A 1] P auth EncK () * * * Adv ( A) = Pr[A C : no query returned C and DecK (C ) ^ ] P 2. Definitions and constructions 10/52 [BN00, KY0] The Strength of AE • Implies IND-CCA2 security • Implies NM-CCA2 security 2. Definitions and constructions 11/52 Generic Composition [BN 2000] of an IND-CPA encryption scheme and a PRF M M M EncK MACL MACL EncK C T EncK MACL C T C T Encrypt-and-MAC MAC-then-Encrypt Encrypt-then-MACP 2. Definitions and constructions 12/52 The Cost of Generic Composition M EncK Cost(AE) = Cost(Enc) + Cost(MAC) MACL C T Example cases: Enc = CTR, CBC MAC = CMAC, HMAC, PMAC, UMAC Generic composition can be pretty cheap – if you use a cheap MAC 2. Definitions and constructions 13/52 RPC Mode [KY00] M1 M2 M3 M4 start i M1 i+1 M2 i+2 M3 i+3 M4 i+4 end i+5 EK EK EK EK EK EK i C0 C1 C2 C3 C4 C5 2. Definitions and constructions 14/52 XCBC$ Mode [Gligor Donescu 2001] Illustration from Gligor-Donescu US Patent 6973182 (2001) 2. Definitions and constructions 15/52 IAPM Mode [Jutla 2001] Illustration from [Jutla 2001] 2. Definitions and constructions 16/52 OCB Mode (later “OCB1”) [R, Bellare, Black, Krovetz 2001] Like IAPM but highly optimized. Motivated by NIST’s modes call. Z [i] = R gi L Checksum = M[1] M[m-1] C[m]0*Y[m] • Arbitrary-length messages • Efficient offset calculations • m + 2 blockcipher calls, m = |M|/n • Single blockcipher key • Cheap key setup (one blockcipher call) 2. Definitions and constructions 17/52 Two important players: NIST and IEEE 802.11i • WiFi standard ratified in 1999 Uses WEP security • Fatal attacks soon emerge: - [Fluhrer, Mantin, Shamir 2001] Weaknesses in the key scheduling algorithm of RC4 - [Stubblefield, Ioannidis, Rubin 2001] Using the Fluhrer, Mantin, Shamir attack to break WEP - [Borisov, Goldberg, Wagner 2001] Intercepting mobile communications: the insecurity of 802.11 - [Cam-Winget , Housley, Wagner, Walker 2003] Security flaws in 802.11 data links protocols • WEP TKIP WPA WPA2 - Draft solutions based on OCB - Politics and patent-avoidance: [Whiting, Housley, Ferguson 2002] develop CCM (=CCMP) - CCM standardized for 802.11, then NIST 2. Definitions and constructions 18/52 Before describing CCM … Back to the def initional story N coins N M Enc C C Dec M AD AD or ^ K K • Random values routinely aren’t • Many application have an available nonce • Weaker user requirement; less misuse 1) Move the coins “out” and make a “nonce” sufficient [RBBK01] 2) Add in “associated data” [R02] • Requirement from Cam-Winget, Kaliski, Walker • AD is authenticated but not encrypted • Failure to provide same AD on decryption results in ^ 2. Definitions and constructions 19/52 Also: (1) Ask for indistinguishability from random bits [RBBK00] AEAD (2) All-in-one definition [R, Shrimpton 2006] N, AD, M EncK (,,) $ (,, ) C C A M ^ ^ (,, ) DecK (,,) N, AD, C aead EncK DecK $ ^ Adv ( A) = Pr[A 1] - Pr[A 1] P A may not: repeat an N-value in an enc query; or ask a dec query (N, AD, C) after C is returned by an (N, AD, ) enc query 2. Definitions and constructions 20/52 [Whiting, Housley, Ferguson 2002] NIST SP 800-38C CCM Mode RFC 3610, 4309, 5084 Roughly MAC-then-Encrypt 2. Definitions and constructions 21/52 Functions FORMAT and COUNT where 2. Definitions and constructions 22/52 See: [R 2011], “Evaluation of Some [Whiting, Housley, Ferguson 2002] Blockcipher Modes of Operation” (Ch. 11); NIST SP 800-38C:2004 following [R, Wagner 2003], “A Critique of CCM” CCM Mode RFC 3610, 4309, 5084, 5116 • Provably secure, with OK bounds, if AE if E is a good PRP [Jonsson 2002] • Widely used, standardized (eg, in 802.11) • Simple to implement • Only forward direction of blockcipher used • About 2m+2 blockcipher calls • Half non-parallelizable • Word alignment disrupted • Can’t preprocess static AD • Not “online” — need to know m in advance • Complex Bit twiddling formatting • User must specify Absent abstraction boundary q {2,3,4,5,6,7,8} – byte length of byte length of longest message which determines nonce length(!) of t =15-q 2. Definitions and constructions 23/52 [Bellare, R, Wagner 2004] ANSI C12.22, ISO 19772 The issues with CCM aren’t hard to f ix • Generic composition of CTR and CMAC is a good alternative • EAX is a CCM-like mode intended to fix CCM’s problems N M A 0 1 CMACK CTRK CMACK C T 2 CMACK EAX 2. Definitions and constructions 24/52 See: [R 2011], “Evaluation of Some [McGrew, Viega 2004] Blockcipher Modes of Operation”, Ch. 12 (Follows CWC [Kohno, Viega, Whiting 2004]) NIST SP 800-38D:2007 RFC 4106, 5084, 5116, 5288, 5647 ISO 19772:2009 GCM Mode with 96-bit nonce N 2. Definitions and constructions 25/52 [McGrew, Viega 2004] GCM Mode Follows CWC [Kohno, Viega, Whiting 2004] NIST SP 800-38D • Provably secure, with OK bounds for long tags IPsec, TLS, MACsec, P1619.1, TLS • Parallelizable, online ISO 19772:2009 • About m+1 blockcipher calls, all of them parallelizable • Very efficient in HW • Reasonably efficient in SW with AES-NI, PCMULDQ, preprocessing & tables • Static AD can be preprocessed • Only forward direction of blockcipher used t/2 • First forgery after 2 queries • After, additional forgeries come quickly • Poor bound if truncate tag too much [Ferguson, 2005] (don’t truncate <96 bits) • Not that efficient in SW, even with PCMULDQ support • Timing attacks an issue for table-based realizations (slow setup, too) 36 • Maximum of 2 -32 bytes • “Reflected-bit” convention for representing field points unfortunate • |N|96 case not handled well • Published proof is buggy [Iwata, 2012] 2. Definitions and constructions26 /52 OCB3 [RBBK01, R04, KR10] OCB Mode in terms of a tweakable blockcipher [LRW02] = M1 M2 M3 M4 2. Definitions and constructions 27/52 [RBBK01, R04, KR10] OCB Mode in terms of a tweakable blockcipher [LRW02] = M1 M2 M3 M410 * 2. Definitions and constructions 28/52 [RBBK01, R04, KR10] OCB Mode in terms of a tweakable blockcipher [LRW02] 2. Definitions and constructions 29/52 Making the Tweakable Blockcipher ~N i EK (X) = EK (XD) D with D= Initial + li L ~ N i * * EK (X) = EK (XD) with D= Initial + li L ~N i $ $ EK (X) = EK (XD) with D= Initial + li L ~ N i * $ *$ EK (X) = EK (XD) with D= Initial + li L ~ i EK (X) = EK (XD) with D= li L ~ i * * EK (X) = EK (XD) with D= li L 127-|N| 128 a(0) = 0 Nonce = 0 1 N L = EK (0 ) Top = Nonce & 1122 06 ntz (i) li = 4 a(i) a(i) = a(i-1) 2 122 6 * Bottom = Nonce & 1 1 li = 4 a(i)+1 $ Ktop = EK (Top) li = 4 a(i)+2 *$ Stretch = Ktop || (Ktop (Ktop << 8)) li = 4 a(i)+3 Initial = (Stretch << Bottom) [1..128] 2. Definitions and constructions 30/52 [KR11] Software Performance Mode 4KB cpb Intel Core x86 i7 – “Sandy Bridge” CCM 5.14 64-bit OS, using AES/GCM NIs GCM 2.95 OCB 0.87 Time 2. Definitions and constructions 31/52 [KR11] Software Performance Mode 4K cpb Intel Core x86 i5-650 – “Clarkdale” CCM 2.09 64-bit OS, using AES/GCM NIs GCM 2.46 OCB 0.21 Overhead 2.
Load more

Recommended publications
  • The Software Performance of Authenticated-Encryption Modes 1
    An earlier version of this paper appears at Fast Software Encryption 2011 (FSE 2011). The Software Performance of Authenticated-Encryption Modes Ted Krovetz∗ Phillip Rogawayy March 21, 2011 Abstract We study the software performance of authenticated-encryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (\Clarkdale") processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about 1.3 cpb. Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counter-based nonce) and reduce latency. Our findings contrast with those of McGrew and Viega (2004), who claimed similar performance for GCM and OCB. Key words: authenticated encryption, cryptographic standards, encryption speed, modes of operation, CCM, GCM, OCB. 1 Introduction Background. Over the past few years, considerable effort has been spent constructing schemes for authenticated encryption (AE). One reason is recognition of the fact that a scheme that delivers both privacy and authenticity may be more efficient than the straightforward amalgamation of separate privacy and authenticity techniques. A second reason is the realization that an AE scheme is less likely to be incorrectly used than an encryption scheme designed for privacy alone. While other possibilities exist, it is natural to build AE schemes from blockciphers, employing some mode of operation. There are two approaches. In a composed (\two-pass") AE scheme one conjoins essentially separate privacy and authenticity modes.
    [Show full text]
  • Analysis of Selected Block Cipher Modes for Authenticated Encryption
    Analysis of Selected Block Cipher Modes for Authenticated Encryption by Hassan Musallam Ahmed Qahur Al Mahri Bachelor of Engineering (Computer Systems and Networks) (Sultan Qaboos University) – 2007 Thesis submitted in fulfilment of the requirement for the degree of Doctor of Philosophy School of Electrical Engineering and Computer Science Science and Engineering Faculty Queensland University of Technology 2018 Keywords Authenticated encryption, AE, AEAD, ++AE, AEZ, block cipher, CAESAR, confidentiality, COPA, differential fault analysis, differential power analysis, ElmD, fault attack, forgery attack, integrity assurance, leakage resilience, modes of op- eration, OCB, OTR, SHELL, side channel attack, statistical fault analysis, sym- metric encryption, tweakable block cipher, XE, XEX. i ii Abstract Cryptography assures information security through different functionalities, es- pecially confidentiality and integrity assurance. According to Menezes et al. [1], confidentiality means the process of assuring that no one could interpret infor- mation, except authorised parties, while data integrity is an assurance that any unauthorised alterations to a message content will be detected. One possible ap- proach to ensure confidentiality and data integrity is to use two different schemes where one scheme provides confidentiality and the other provides integrity as- surance. A more compact approach is to use schemes, called Authenticated En- cryption (AE) schemes, that simultaneously provide confidentiality and integrity assurance for a message. AE can be constructed using different mechanisms, and the most common construction is to use block cipher modes, which is our focus in this thesis. AE schemes have been used in a wide range of applications, and defined by standardisation organizations. The National Institute of Standards and Technol- ogy (NIST) recommended two AE block cipher modes CCM [2] and GCM [3].
    [Show full text]
  • Item Box Subject Author Title Exps Pages Size Inches Pub. Date Grand
    Item Box Subject Author Title Exps Pages Size Inches Pub. Date Grand Total: 3, 139, 369, 104, 343, 159, [and the 210 Namibian 51, 612, 191, 21, 44, 1, 39, 95, 428, docs so far is 2809] (2599) Central Africa:3 1 Central Africa—General Economics UNECA Subregional Strategies 19 32 8x11.5 Hints to Businessmen Visiting The London Board of 2 Central Africa—General Economics Congo (Brazzaville), Chad, Gabon 19 32 4.75x7.125 Trade and Central African Republic Purpose and Perfection Pottery as 3 Central Africa—General Art The Smithsonian Institution 3 4 8x9.25 a Woman's Art in Central Africa Botswana:139 National Institute of Access to Manual Skills Training in 1 Botswana—Bibliographies Bibliography Development and Cultural Botswana: An Annotated 9 13 8x11.5 Research Bibliography Social Thandiwe Kgosidintsi and 2 Botswana—Bibliographies Sciences—Information Publishing in Botswana 2 2 8.5x11 Neil Parsons Science National Institute of 3 Botswana—Bibliographies Bibliography Development Rearch and Working Papers 5 8 5.75x8.25 Documentation University of Botswana and Department of Library Studies 1 Botswana—Social Sciences Social Sciences 28 25 8.25x11.75 Swaziland Prospectus Social Refugees In Botswana: a Policy of 2 Botswana—Social Sciences United Nations 3 7 4.125x10.5 Sciences—Refugees Resettlement Projet De College Exterieur Du 3 Botswana—Social Sciences Social Sciences unknown 3 3 8.25x11.75 Botswana Community Relations in Botswana, with special reference to Francistown. Statement 4 Botswana—Social Sciences Social Sciences Republic of Botswana Delivered to the National Assembly 4 5 5.5x8 1971 by His Honor the Vice President Dt.
    [Show full text]
  • The EAX Mode of Operation
    A preliminary version of this papers appears in Fast Software Encryption ’04, Lecture Notes in Computer Science, vol. ?? , R. Bimal and W. Meier ed., Springer-Verlag, 2004. This is the full version. The EAX Mode of Operation (A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and Efficiency) ∗ † ‡ M. BELLARE P. ROGAWAY D. WAGNER January 18, 2004 Abstract We propose a block-cipher mode of operation, EAX, for solving the problem of authenticated-encryption with associated-data (AEAD). Given a nonce N, a message M, and a header H, our mode protects the privacy of M and the authenticity of both M and H. Strings N, M, and H are arbitrary bit strings, and the mode uses 2|M|/n + |H|/n + |N|/n block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX’s characteristics are that it is on-line (the length of a message isn’t needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by first creating a generic-composition method, EAX2, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. The proof of this fact is novel and involved. EAX is an alternative to CCM [26], which was created to answer the wish within standards bodies for a fully-specified and patent-free AEAD mode. As such, CCM and EAX are two-pass schemes, with one pass for achieving privacy and one for authenticity.
    [Show full text]
  • Security Policy: Informacast Java Crypto Library
    FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library FIPS 140-2 Non-Proprietary Security Policy InformaCast Java Crypto Library Software Version 3.0 Document Version 1.2 June 26, 2017 Prepared For: Prepared By: Singlewire Software SafeLogic Inc. 1002 Deming Way 530 Lytton Ave, Suite 200 Madison, WI 53717 Palo Alto, CA 94301 www.singlewire.com www.safelogic.com Document Version 1.2 © Singlewire Software Page 1 of 35 FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library Abstract This document provides a non-proprietary FIPS 140-2 Security Policy for InformaCast Java Crypto Library. Document Version 1.2 © Singlewire Software Page 2 of 35 FIPS 140-2 Non-Proprietary Security Policy: InformaCast Java Crypto Library Table of Contents 1 Introduction .................................................................................................................................................. 5 1.1 About FIPS 140 ............................................................................................................................................. 5 1.2 About this Document.................................................................................................................................... 5 1.3 External Resources ....................................................................................................................................... 5 1.4 Notices .........................................................................................................................................................
    [Show full text]
  • Implementation and Evaluation of Secure Industrial Ethernet Communication
    Implementation and Evaluation of Secure Industrial Ethernet Communication Master of Science Thesis, Communication Engineering KAN YU Department of Signals and Systems CHALMERS UNIVERSITY OF TECHNOLOGY Göteborg, Sweden, August 2010 Page 2/88 Abstract Automation network security becomes increasingly important due to the introduction of Ethernet- based fieldbus protocols and cryptographic algorithms play a vital important role in these protocols. Choosing the most suitable cryptographic algorithms under consideration of security and performance according to different application cases is essential. In this thesis, we first present a comprehensive survey of most commonly used cryptographic algorithms which can be applied in automation networks and then identify our candidates based on existing literature and related works for further evaluation in ARM platform for industrial purpose. Finally, according to our evaluation results, we choose suitable algorithms for different applications: for symmetric algorithms, Twofish is recommended for best performance and eXtended Tiny Encryption Algorithm (XTEA) and Corrected Block Tiny Encryption Algorithm (XXTEA) are recommended for the least footprint; for Message Authentication Code (MAC) algorithms, UMAC is strongly recommended for excellent speed; for asymmetric algorithms, Elliptic Curve Cryptography (ECC) has much better performance than RSA at the same security level in our platform. Page 3/88 TABLE OF CONTENTS 1 INTRODUCTION ..................................................................................................................................
    [Show full text]
  • Efficient & Secure Cipher Scheme with Dynamic Key-Dependent Mode Of
    Efficient & secure cipher scheme with dynamic key-dependent mode of operation Hassan Noura, Ali Chehab, Raphael Couturier To cite this version: Hassan Noura, Ali Chehab, Raphael Couturier. Efficient & secure cipher scheme with dynamic key- dependent mode of operation. Signal Processing: Image Communication, Elsevier, 2019, 78, pp.448 - 464. hal-02366798 HAL Id: hal-02366798 https://hal.archives-ouvertes.fr/hal-02366798 Submitted on 16 Nov 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Efficient & Secure Cipher Scheme with Dynamic Key-Dependent Mode of Operation Hassan N. Nouraa, Ali Chehaba, Rapha¨elCouturierb a Electrical and Computer Engineering American University of Beirut (AUB) Beirut, Lebanon bUniv. Bourgogne Franche-Comt´e(UBFC), FEMTO-ST Institute, CNRS, Belfort, France Abstract Security attacks are constantly on the rise leading to drastic consequences. Several secu- rity services are required more than ever to prevent both passive and active attacks such as Data Confidentiality (DC). A DC security service is typically based on a strong symmetric cipher algorithm. However, some of today's applications, such as real-time applications and those running on constrained devices, require efficient lightweight cipher schemes that can achieve a good balance between the security level and system performance.
    [Show full text]
  • Cs 255 (Introduction to Cryptography)
    CS 255 (INTRODUCTION TO CRYPTOGRAPHY) DAVID WU Abstract. Notes taken in Professor Boneh’s Introduction to Cryptography course (CS 255) in Winter, 2012. There may be errors! Be warned! Contents 1. 1/11: Introduction and Stream Ciphers 2 1.1. Introduction 2 1.2. History of Cryptography 3 1.3. Stream Ciphers 4 1.4. Pseudorandom Generators (PRGs) 5 1.5. Attacks on Stream Ciphers and OTP 6 1.6. Stream Ciphers in Practice 6 2. 1/18: PRGs and Semantic Security 7 2.1. Secure PRGs 7 2.2. Semantic Security 8 2.3. Generating Random Bits in Practice 9 2.4. Block Ciphers 9 3. 1/23: Block Ciphers 9 3.1. Pseudorandom Functions (PRF) 9 3.2. Data Encryption Standard (DES) 10 3.3. Advanced Encryption Standard (AES) 12 3.4. Exhaustive Search Attacks 12 3.5. More Attacks on Block Ciphers 13 3.6. Block Cipher Modes of Operation 13 4. 1/25: Message Integrity 15 4.1. Message Integrity 15 5. 1/27: Proofs in Cryptography 17 5.1. Time/Space Tradeoff 17 5.2. Proofs in Cryptography 17 6. 1/30: MAC Functions 18 6.1. Message Integrity 18 6.2. MAC Padding 18 6.3. Parallel MAC (PMAC) 19 6.4. One-time MAC 20 6.5. Collision Resistance 21 7. 2/1: Collision Resistance 21 7.1. Collision Resistant Hash Functions 21 7.2. Construction of Collision Resistant Hash Functions 22 7.3. Provably Secure Compression Functions 23 8. 2/6: HMAC And Timing Attacks 23 8.1. HMAC 23 8.2.
    [Show full text]
  • Patent-Free Authenticated-Encryption As Fast As OCB
    Patent-Free Authenticated-Encryption As Fast As OCB Ted Krovetz Computer Science Department California State University Sacramento, California, 95819 USA [email protected] Abstract—This paper presents an efficient authenticated encryp- VHASH hash family [4]. The resulting authenticated encryp- tion construction based on a universal hash function and block tion scheme peaks at 12.8 cpb, while OCB peaks at 13.9 cpb in cipher. Encryption is achieved via counter-mode while authenti- our experiments. The paper closes with a performance com- cation uses the Wegman-Carter paradigm. A single block-cipher parison of several well-known authenticated encryption algo- key is used for both operations. The construction is instantiated rithms [6]. using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten per- cent slower than encryption alone. II. SECURITY DEFINITIONS We adopt the notions of security from [7], and summarize Keywords- Authenticated encryption, block-cipher mode-of- them less formally here. An authenticated encryption with as- operation, AEAD, UMAC, VMAC. sociated data (AEAD) scheme is a triple S = (K,E,D), where K is a set of keys, and E and D are encryption and decryption I. INTRODUCTION functions. Encryption occurs by computing E(k,n,h,p,f), which Traditionally when one wanted to both encrypt and authen- returns (c,t), for key k, nonce n, header h, plaintext m and ticate communications, one would encrypt the message under footer f. Ciphertext c is the encryption of p, and tag t authenti- one key and authenticate the resulting ciphertext under a sepa- cates h, c and f.
    [Show full text]
  • Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017
    Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Kölbl June 20th, 2017 DTU Compute, Technical University of Denmark Introduction to Symmetric Key Cryptography Symmetric Key Cryptography What can we do? • Encryption • Authentication (MAC) • Hashing • Random Number Generation • Digital Signature Schemes • Key Exchange 1 Authentication Authentication Message Authentication Code (MAC) Key Message MAC Tag • Produces a tag • Provide both authenticity and integrity • It should be hard to forge a valid tag. • Similar to hash but has a key • Similar to digital signature but same key 2 Authentication MAC Algorithm • Block Cipher Based (CBC-MAC) • Hash-based (HMAC, Sponge) • Universal Hashing (UMAC, Poly1305) 3 Authentication CBC-MAC M1 M2 Mi 0 EK EK EK T 4 Authentication Hash-based: • H(k jj m) • Okay with Sponge, fails with MD construction. • H(m jj k) • Collision on H allows to construct Tag collision. • HMAC: H(k ⊕ c1kj H(k ⊕ c2jjm)) 5 Authentication Universal Hashing (UMAC, Poly1305, …) • We need a universal hash function family H. • Parties share a secret member of H and key k. • Attacker does not know which one was chosen. Definition A set H of hash functions h : U ! N is universal iff 8x; y 2 U: 1 Pr (h(x) = h(y)) ≤ h2H jNj when h is chosen uniformly at random. 6 Authenticated Encryption In practice we always want Authenticated Encryption • Encryption does not protect against malicious alterations. • WEP [TWP07] • Plaintext recovery OpenSSH [APW09] • Recover TLS cookies [DR11] Problem Lot of things can go wrong when combining encryption and authentication. Note: This can allow to recover plaintext, forge messages..
    [Show full text]
  • Kriptografske Tehničke Sigurnosne Mjere
    Sigurnost računalnih sustava Computer Systems Security Kriptografske tehničke sigurnosne mjere Marin Golub Sadržaj • Uvod: Jesu li i koliko su kriptoalgoritmi sigurni? • Napadi na simetrične i asimetrične kriptosustave • Asimetrični kriptosustavi – Kriptosustavi zasnovani na eliptičkim krivuljama • Funkcije za izračunavanje sažetka poruke – Napadi na funkcije za izračunavanje sažetka poruke – Elektronički vs. digitalni potpis – SHA-2 i SHA-3 • Kvantna kriptografija • Natječaji za nove kriptografske algoritme koji su u tijeku – Kriptografija prilagođena ugrađenim računalima (Lightweight Cryptography ) – Asimetrična kriptografija nakon kvantnih računala (Post-Quantum Cryptography ) SRS-Crypto-2/79 Osnovni pojmovi Kriptologija = kriptografija + kriptoanaliza Kriptografija • znanstvena disciplina (ili umjetnost?) sastavljanja poruka sa ciljem skrivanja sadržaja poruka Kriptoanaliza • znanstvena disciplina koja se bavi analizom skrivenih aspekata sustava i koristi se kako bi se ispitala (ili narušila) sigurnost kriptografskog sustava SRS-Crypto-3/79 Jesu li i koliko su kriptoalgoritmi sigurni? • Postoje specijalizirana računala za napad grubom silom na DES kriptosustav: COPACOBANA (A Cost-Optimized PArallel COde Breaker) • 12.12.2009. faktoriziran RSA-768 • na kvantnom računalu je riješen problem faktoriziranja velikih brojeva i problem diskretnog logaritma • 17.8.2004. - kineski i francuski znanstvenici su objavili članak pod naslovom: "Kolizija za hash funkcije: MD4, MD5, Haval-128 i RIPEMD" • 13.2.2005. - kineski znanstvenici: "Collision
    [Show full text]
  • Modes of Operation Module No: CS/CNS/1
    e-PGPathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Modes of Operation Module No: CS/CNS/18 Quadrant 1 – e-text Cryptography and Network Security Module 18- Modes of Operation Learning Objectives To understand the Overview of Modes of Operation Discuss about each mode of operation such as EBC, CBC, CFB, OFB, CTR To Compare different modes and to discuss remarks over them 18.1. INTRODUCTION So far we have seen the basic working of block ciphers. In this section, we discuss about modes of operation of block ciphers. Basically the lengthy plain text is divided into number of blocks in block ciphers. Block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks, with 56-bit key. But in actual scenario, the file size which has to be encrypted may not be the multiple of the block size. That is in practise, we usually need to handle arbitrary amounts of data, which may be available in advance (in which case a block mode is appropriate), and may only be available a bit/byte at a time (in which case a stream mode is used). A mode of operation describes the process of encrypting each of these blocks under a single key. A mode of operation describes the process of encrypting each of these blocks under a single key. Some modes may use randomised addition input value. We can apply a particular mode of operation in this situation. Basic modes of operations such as Electronic Code Book(ECB), Cipher Block Chaining(CBC), Cipher Feed Back (CFB), Output Feed Back (OFB), Counter (CTR) modes are considered here.
    [Show full text]