ale aes based lightweight authenticated encryption
play

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov - PowerPoint PPT Presentation

Oct 02, 2022 •19 likes •279 views

ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 , Francesco Regazzoni 3,4 , Vincent Rijmen 5 , Elmar Tischhauser 5 1 Technical University of Denmark 2 IAIK, Graz University of Technology, Austria 3 ALaRI -

  1. ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1 , Florian Mendel 2 , Francesco Regazzoni 3,4 , Vincent Rijmen 5 , Elmar Tischhauser 5 1 Technical University of Denmark 2 IAIK, Graz University of Technology, Austria 3 ALaRI - USI, Switzerland 4 Delft University of Technology, Netherlands 5 Dept. ESAT/COSIC, KU Leuven and iMinds, Belgium

  2. Authenticated Encryption (AE) • Is cryptography about encryption? Yes, but not only! o Encryption alone is not enough in numerous applications o One might even argue that authentication is really what is needed in o most cases • Authenticated encryption AE: (P,K) -> (C,T) with T authentication tag • Authenticated encryption with associated data AEAD: (A,P,K) -> (A,C,T) with A associated data transmitted in plaintext

  3. The assumption of nonce • Nonce N = number used once, freshness • Nice but might be difficult to enforce in sometimes David McGrew, DIAC’12 slides • Good news: Nonce can be “just” a counter!

  4. [RBBK01] Nonce-based: AES-OCB [BR02] [R02] [R04] [KR11] • Init(N): initialization function • Inc: increment function • Checksum = M1 xor M2 xor... Mn

  5. [RBBK01] Nonce-based: AES-OCB [BR02] [R02] [R04] [KR11] + • 1 AES-128 call per block • perfectly parallelizable • only forgery with nonce reuse • associated data

  6. [RBBK01] Nonce-based: AES-OCB [BR02] [R02] [R04] [KR11] + - • • 1 AES-128 call per block enc/dec different • • perfectly parallelizable state 4x128 bits • • only forgery with nonce reuse (patents pending) • associated data

  7. [JK11] ASC-1

  8. [JK11] ASC-1 + • only 4 AES-128 rounds per block • enc/dec similar

  9. [JK11] ASC-1 + • only 4 AES-128 rounds per block • enc/dec similar - • state 4x128 bits • serial • state recovery with nonce reuse • slow in compact ASIC implementation • no associated data

  10. Our Goal • Design of a dedicated AE scheme which would: o require less operations on average o be compact in hardware (for both encryption and decryption) o have low power and low energy figures o be good in software • PC (AES-NI) • Embedded (usually not parallelizable) o rely on some previous cryptanalysis

  11. ALE = associated data AES = AES-128 = message = 128-bit key = ciphertext = tag Initialization: nonce, AES with master k, 0, AES with master k, AES with ks Processing Associated Data: xor with state, 4R AES Processing Message: xor with message, 4R AES LEX leak

  12. [B06] LEX leak for ALE encryption odd rounds even rounds

  13. ALE = associated data AES = AES-128 = message = 128-bit key = ciphertext = tag Initialization: nonce, AES with master k, 0, AES with master k, AES with ks Processing Associated Data: xor with state, 4R AES Processing Message: xor with message, 4R AES LEX leak Finalization: encrypt with AES

  14. ALE = associated data AES = AES-128 = message = 128-bit key = ciphertext = tag + • only 4 AES-128 rounds per block • enc/dec similar • state 2x128 bits • faster in compact ASIC implementation • associated data

  15. ALE = associated data AES = AES-128 = message = 128-bit key = ciphertext = tag + - • • only 4 AES-128 rounds per block serial • • enc/dec similar state recovery with nonce reuse • state 2x128 bits • faster in compact ASIC implementation • associated data

  16. Assumptions for ALE • Assumption 1. Nonce-respecting adversary: A nonce is only used once with the same master key for encryption • Assumption 2. Abort on verification failure: No additional information returned if tampering is detected (in particular, no plaintext blocks)

  17. Claims for ALE • Claim 1. State recovery: State recovery with complexity = t data blocks succeeds with prob at most t2 -128 • Claim 2. Key recovery: State recovery with complexity = t data blocks succeeds with prob at most t2 -128 , even if state recovered • Claim 3. Forgery w/o state recovery: forgery not involving key/state recovery succeeds with prob at most 2 -128

  18. Lightweight ASIC implementation for ALE • ALE implemented using as base AES architecture the smallest available [Moradi et al., Eurocrypt 2011] • Reference algorithms were implemented using the same starting AES • STMicroelectronics 65 nm CMOS LP-HVT, Synopsis 2009.06, 20 MHz

  19. Lightweight ASIC implementation for ALE

  20. Lightweight ASIC implementation for ALE

  21. Software implementation of ALE • Target platforms: o Sanby Bridge 3.1GHz (using AES-NI) o Embedded (estimated) • Parallel or multiple message at a time • Standard Sandy Bridge desktop @ 3.1 GHz • Repeated 100.000 and averaged

  22. Software implementation of ALE (Sandy Bridge) • cycles per byte (AES-NI)

  23. Software implementation of ALE (Sandy Bridge) • cycles per byte (AES-NI)

  24. Software implementation of ALE (embedded) • Serial constructions usually do not cause large overhead • Estimated 2 to 2.5 time faster than AES-OCB

  25. Conclusions • Dedicated nonce-based AES-based AEAD design • Reuses some cryptanalysis of Pelican-MAC and LEX • Small hardware footprint • Fast software (measured with AES-NI, estimated embedded)

  26. Thank you!

Recommend

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito *

Workshop on Cryptographic Hardware and Embedded Systems (CHES 2020) Lightweight Authenticated Encryption Mode of Operation for Tweakable Block Ciphers Yusuke Naito * and Takeshi Sugawara ** * Mitsubishi Electric Corporation ** The University of

420 views • 22 slides
Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Introduction Motivation Specification for Beetle Hardware Implementation Results of Beetle Conclusions Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 , Nilanjan Datta 2 , Mridul Nandi 3 and Kan

614 views • 32 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of

JAMBU Lightweight Authenticated Encryption Mode and AES-JAMBU Hongjun Wu, Tao Huang Division of Mathematical Sciences School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore { wuhj,huangtao } @ntu.edu.sg

267 views • 16 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx

APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx

APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance Atul Luykx COSIC, KU Leuven August 14, 2013 Joint work with A. Bogdanov, E. Andreeva, B. Mennink, N. Mouha, K. Yasuda 1 / 16 Stateless, Deterministic

198 views • 17 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background:

Hermes: A Language for Lightweight Encryption Torben gidius Mogensen RC 2020 Background: Lightweight Encryption Lightweight: Meant to be fast. Symmetric key: Same key used for encryption and decryption. Used in embedded systems, browsers,

300 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in (Partially based on joint work with Debrup Chakraborty) Directions

1.01k views • 61 slides
AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov Martin M. Lauridsen Elmar Tischhauser mmeh @ dtu.dk DTU Compute, Technical University of Denmark DIAC 2014 Santa Barbara, August 24, 2014 Context

540 views • 19 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides

More recommend