blockcipher based authentcated encryption how small can
play

Blockcipher-based Authentcated Encryption: How Small Can We Go? - PowerPoint PPT Presentation

Jan 31, 2024 •93 likes •457 views

Introduction Idealized Combined Feedback Construction : iCOFB Specification for COFB Hardware Implimentation Results of COFB Conclusion Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (Indian Statistical

  1. Introduction Idealized Combined Feedback Construction : iCOFB Specification for COFB Hardware Implimentation Results of COFB Conclusion Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (Indian Statistical Institute, Kolkata) Tetsu Iwata (Nagoya University, Japan) Kazuhiko Minematsu (NEC Corporation, Japan) Mridul Nandi (Indian Statistical Institute, Kolkata) September, 2016 COFB

  2. Introduction Idealized Combined Feedback Construction : iCOFB Specification for COFB Hardware Implimentation Results of COFB Conclusion Introduction 1 Idealized Combined Feedback Construction : iCOFB 2 Specification for COFB 3 Hardware Implimentation Results of COFB 4 Conclusion 5 COFB

  3. Introduction Idealized Combined Feedback Construction : iCOFB Specification for COFB Hardware Implimentation Results of COFB Conclusion Authenticated Encryption (AE) More Formally.... AE . enc : M×D×N ×K → C AE . dec : C × D × N × K → M∪ ⊥ Goal Primitive Security Privacy Symmetric Encryption IND-CPA Integrity MAC/Others INT-CTXT Table: Security Properties COFB

  4. Introduction Idealized Combined Feedback Construction : iCOFB Specification for COFB Hardware Implimentation Results of COFB Conclusion IND-CPA Security for Privacy E k ( . ) $( . ) ( N i , A i , M i ) ( N i , A i , M i ) i = 1 . . . q A i = 1 . . . q ( C i , T i ) ( C i , T i ) Simulate E k ( . ) Simulate $( . ) 0 / 1 ∆ A ( O 1 ; O 2 ) = | Pr[ A O 1 = 1] − Pr[ A O 2 = 1] | . Adv PRIV ( A ) := ∆ A ( E K ; $) AE Adv PRIV ( q , σ, t ) = max A Adv PRIV ( A ) AE AE t : Time, q : #queries , σ : # blocks in all queries COFB

  5. Introduction Idealized Combined Feedback Construction : iCOFB Specification for COFB Hardware Implimentation Results of COFB Conclusion INT-CTXT Security for Integrity E k ( · ) V k ( · ) ( N ∗ j , A ∗ j , C ∗ j , T ∗ j ) ( N i , A i , M i ) i = 1 . . . q e A j = 1 . . . q f forge attempts ( C i , T i ) 0 / 1 A forges if ∃ ( N ∗ j , A ∗ j , C ∗ j , T ∗ j ) ∋ V k ( N ∗ j , A ∗ j , C ∗ j , T ∗ j ) = 1 AE ( A ) := Pr [ A E k forges ] Adv INT Adv INT AE (( q e , q f ) , ( σ e , σ f ) , t ) = max A Adv INT AE ( A ) COFB

  6. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion Introduction 1 Idealized Combined Feedback Construction : iCOFB 2 Motivation Idealized Combined-Feedback Authenticated Encryption : iCOFB Security of iCOFB Specification for COFB 3 Hardware Implimentation Results of COFB 4 Conclusion 5 COFB

  7. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion Current State of the Art Structural Properties Schemes CLOC-SILC AES-JAMBU iFEED State 2n + k 1.5n + k 3n + k 1 1 Rate 1 2 2 Yes Yes (integrity only) Yes (wrong) Proofs Here n is the blocksize of blockcipher COFB

  8. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion Main Idea and Motivation Behind the Construction Very small cipher state Provably Security in terms of both Privacy and Integrity COFB

  9. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion Introduction 1 Idealized Combined Feedback Construction : iCOFB 2 Motivation Idealized Combined-Feedback Authenticated Encryption : iCOFB Security of iCOFB Specification for COFB 3 Hardware Implimentation Results of COFB 4 Conclusion 5 COFB

  10. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion iCOFB Construction Generic Combined Feedback Mode Instantiated by COFB AE scheme Easy to Understand COFB COFB

  11. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion iCOFB Construction 0 n X [1] X [2] X [3] X [4] R N,A, (0 , 0) R N,A, (1 , 0) R N,A, (2 , 0) R N,A, (3 , 0) R N,A, (4 , 1) Y [0] Y [1] Y [2] Y [3] M [1] ρ M [2] ρ M [3] ρ M [4] ρ Y [4] C [1] C [2] C [3] C [4] Powered by TCPDF (www.tcpdf.org) R N , A , ( a , b ) : Tweakable random function ∀ N , A , ( a , b ), R N , A , ( a , b ) : B → B COFB

  12. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion iCOFB Construction 0 n X [1] X [2] X [3] X [4] R N,A, (0 , 0) R N,A, (1 , 0) R N,A, (2 , 0) R N,A, (3 , 0) R N,A, (4 , 1) Y [0] Y [1] Y [2] Y [3] ρ ρ ρ ρ Y [4] M [1] M [2] M [3] M [4] C [1] C [2] C [3] C [4] Powered by TCPDF (www.tcpdf.org) ρ : Linear Feedback Function COFB

  13. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion iCOFB Construction 0 n X [1] X [2] X [3] X [4] R N,A, (0 , 0) R N,A, (1 , 0) R N,A, (2 , 0) R N,A, (3 , 0) R N,A, (4 , 1) Y [0] Y [1] Y [2] Y [3] M [1] ρ M [2] ρ M [3] ρ M [4] ρ Y [4] C [1] C [2] C [3] C [4] Powered by TCPDF (www.tcpdf.org) CT = ( C [1] , C [2] , C [3] , C [4]), Tag = Y [4] COFB

  14. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion Linear Feedback Function : ρ ′ For ρ : B × B → B × B , ∃ ρ Correctness Condition for encryption, ′ ( Y , C ) = ( X , M ) ∀ Y , M ∈ B , ρ ( Y , M ) = ( X , C ) ⇒ ρ ρ ensures given ( Y , C ): M should be uniquely computable � G � � I + G � I ′ = I Example : ρ = , ρ , G is invertible I I I I COFB

  15. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion ′ ρ and ρ ρ : During Encryption � X [ i ] � � E 1 , 1 � � Y [ i − 1] � E 1 , 2 = C [ i ] E 2 , 1 E 2 , 2 M [ i ] If ρ Satisfies the correctness condition then E 2 , 2 must be inv ′ : During Decryption ρ � X [ i ] � � D 1 , 1 � � Y [ i − 1] � D 1 , 2 = M [ i ] D 2 , 1 D 2 , 2 C [ i ] D 1 , 1 = E 1 , 1 + E 1 , 2 . E − 1 2 , 2 . E 2 , 1 , D 1 , 2 = E 1 , 2 D 2 , 1 = E − 1 2 , 2 . E 2 , 1 , D 2 , 2 = E − 1 2 , 2 ρ is Valid if both ( C 1) E 2 , 1 , ( C 2) D 1 , 2 and ( C 3) D 1 , 1 invertible COFB

  16. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion Introduction 1 Idealized Combined Feedback Construction : iCOFB 2 Motivation Idealized Combined-Feedback Authenticated Encryption : iCOFB Security of iCOFB Specification for COFB 3 Hardware Implimentation Results of COFB 4 Conclusion 5 COFB

  17. Introduction Idealized Combined Feedback Construction : iCOFB Motivation Specification for COFB Idealized Combined-Feedback Authenticated Encryption : iCOFB Hardware Implimentation Results of COFB Security of iCOFB Conclusion Privacy and Authencity for iCOFB ( C 2) ⇒ ∀ Y , C � = C ′ , D 1 , 1 . Y + D 1 , 2 . C � = D 1 , 1 . Y + D 1 , 2 . C ′ ( C 3) ⇒ ρ is invertible (for correctness E − 1 2 , 2 is invertible). Hence, ← B : D 1 , 1 . Y + D 1 , 2 . C = X ] = 2 − n , ∀ ( C , X ) ∈ B 2 $ Pr[ Y Theorem If ρ is valid then for adversary A making q encryption queries and q f forging attempts having at most ℓ f many blocks, we have iCOFB ( A ) ≤ q f ( ℓ f + 1) Adv priv Adv auth iCOFB ( A ) = 0 , . 2 n COFB

  18. Introduction Idealized Combined Feedback Construction : iCOFB Underlying Mathematical Components for COFB Specification for COFB Security Bounds Hardware Implimentation Results of COFB Properties Conclusion Introduction 1 Idealized Combined Feedback Construction : iCOFB 2 Specification for COFB 3 Underlying Mathematical Components for COFB Security Bounds Properties Hardware Implimentation Results of COFB 4 Conclusion 5 COFB

  19. Introduction Idealized Combined Feedback Construction : iCOFB Underlying Mathematical Components for COFB Specification for COFB Security Bounds Hardware Implimentation Results of COFB Properties Conclusion Design Rationale and Challenges COFB : An instantiation of iCOFB Instatiation of iCOFB is possible by standard method (like XE mode) But results in 2 state memories Here, we considered half tweak (only Half-bit mask) Sufficient for standard security bound The proof for COFB is not the same as XE based iCOFB Proof based on specific design (w/o iCOFBs security bound) COFB

Recommend

Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure

Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure

Introduction Specification for COFB Hardware Implementation Results of COFB-AES Conclusions References Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata

470 views • 35 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth

Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth

Design approach to efficient blockcipher modes Kazuhiko Minematsu, NEC Corporation The Fourth Asian Workshop on Symmetric Key Cryptography, 19%22, December 2014, SETS Chennai, India 1 Introduction Blockcipher mode : turning a blockcipher

702 views • 59 slides
Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University of Florida) Seth Terashima (Qualcomm Technologies, inc.) What weak bounds? ...from encrypting lots of data Intel Hardware RNG: Single-machine

246 views • 23 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho Moriai 1 , Tetsu Iwata 2 1 Sony Corporation 2 Nagoya University Direction for designing a new blockcipher Priority for Choosing an algorithm 1.

464 views • 19 slides
Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical

Minimum Blockcipher Calls for Block cipher based Designs Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in 30th Sept, ASK-2015, NTU, Singapore Symmetric Key Primitives Distinguishing Game Distinguishing a real keyed

588 views • 33 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides
Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment Functional encryption Shared coin flips Fully-homomorphic encryption APPLICATIONS AND PROTOCOLS Threshold cryptography Searchable

399 views • 11 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen

gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen

Identity-Based Encryption gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen sk M C M Enc Dec Sender (pk) Receiver (sk) 2 1 Identity-based encryption (IBE) [S84] Goal: Allow to encrypt based

584 views • 10 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
GIFT : A Small Present Towards Reaching the Limit of Lightweight Encryption Subhadeep Banik 1 , 2

GIFT : A Small Present Towards Reaching the Limit of Lightweight Encryption Subhadeep Banik 1 , 2

Introduction Specification Design Rationale Security and Performances Conclusion GIFT : A Small Present Towards Reaching the Limit of Lightweight Encryption Subhadeep Banik 1 , 2 Sumit Kumar Pandey 1 Thomas Peyrin 1 Yu Sasaki 3 Siang Meng Sim 1

457 views • 41 slides
The Curse of Small Domains New Attacks on Format-Preserving Encryption Viet Tung Hoang Stefano

The Curse of Small Domains New Attacks on Format-Preserving Encryption Viet Tung Hoang Stefano

The Curse of Small Domains New Attacks on Format-Preserving Encryption Viet Tung Hoang Stefano Tessaro Ni Trieu Florida State University UC Santa Barbara Oregon State University CRYPTO 2018 August 20, 2018 1 Format-Preserving Encryption

373 views • 24 slides
Small high-security encryption, authentication, and hashing D. J. Bernstein University of

Small high-security encryption, authentication, and hashing D. J. Bernstein University of

Small high-security encryption, authentication, and hashing D. J. Bernstein University of Illinois at Chicago Main goals of cryptography Alice and Bob are communicating. Eve is eavesdropping. Alice and Bob have several standard security

310 views • 29 slides
Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption Public-key encryption, where public key = name no PKI necessary

815 views • 24 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
Dynamic Searchable Encryption with Small Client Storage Ioannis Demertzis Javad Ghareh Chamani

Dynamic Searchable Encryption with Small Client Storage Ioannis Demertzis Javad Ghareh Chamani

Dynamic Searchable Encryption with Small Client Storage Ioannis Demertzis Javad Ghareh Chamani University of Maryland HKUST and Sharif University of Technology jgc@cse.ust.hk yannis@umd.edu Dimitrios Papadopoulos Charalampos Papamathou

561 views • 39 slides

More recommend