counter in tweak authenticated encryption modes for
play

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable - PowerPoint PPT Presentation

Nov 14, 2022 •262 likes •1.29k views

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

  1. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Our Goal • in replacement of COPA, design an AE mode of operation for tweakable block ciphers which provides: 1. (full, not online) nonce-misuse resistance up to the birthday bound 2. beyond-birthday-bound (BBB) security in the nonce-respecting setting • existing (TBC ⇒ AE) modes: • Θ CB [KR11] is perfectly secure in the nonce-respecting scenario, but not secure at all in the nonce-misuse scenario • COPA [ABL + 13] provides only online nonce-misuse resistance • AEZ [HKR15] provides birthday-security even in the nonce-respecting scenario • PIV [ST13] requires a very long tweak-length (size of the maximal message length) • our new mode = SCT ( Synthetic Counter in Tweak ) T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 3 / 32

  2. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Our Goal • in replacement of COPA, design an AE mode of operation for tweakable block ciphers which provides: 1. (full, not online) nonce-misuse resistance up to the birthday bound 2. beyond-birthday-bound (BBB) security in the nonce-respecting setting • existing (TBC ⇒ AE) modes: • Θ CB [KR11] is perfectly secure in the nonce-respecting scenario, but not secure at all in the nonce-misuse scenario • COPA [ABL + 13] provides only online nonce-misuse resistance • AEZ [HKR15] provides birthday-security even in the nonce-respecting scenario • PIV [ST13] requires a very long tweak-length (size of the maximal message length) • our new mode = SCT ( Synthetic Counter in Tweak ) T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 3 / 32

  3. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Our Goal • in replacement of COPA, design an AE mode of operation for tweakable block ciphers which provides: 1. (full, not online) nonce-misuse resistance up to the birthday bound 2. beyond-birthday-bound (BBB) security in the nonce-respecting setting • existing (TBC ⇒ AE) modes: • Θ CB [KR11] is perfectly secure in the nonce-respecting scenario, but not secure at all in the nonce-misuse scenario • COPA [ABL + 13] provides only online nonce-misuse resistance • AEZ [HKR15] provides birthday-security even in the nonce-respecting scenario • PIV [ST13] requires a very long tweak-length (size of the maximal message length) • our new mode = SCT ( Synthetic Counter in Tweak ) T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 3 / 32

  4. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Our Goal • in replacement of COPA, design an AE mode of operation for tweakable block ciphers which provides: 1. (full, not online) nonce-misuse resistance up to the birthday bound 2. beyond-birthday-bound (BBB) security in the nonce-respecting setting • existing (TBC ⇒ AE) modes: • Θ CB [KR11] is perfectly secure in the nonce-respecting scenario, but not secure at all in the nonce-misuse scenario • COPA [ABL + 13] provides only online nonce-misuse resistance • AEZ [HKR15] provides birthday-security even in the nonce-respecting scenario • PIV [ST13] requires a very long tweak-length (size of the maximal message length) • our new mode = SCT ( Synthetic Counter in Tweak ) T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 3 / 32

  5. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Outline TBCs and AE Generic Composition: the NSIV Method Authentication: the EPWC Mode Encryption: the CTRT Mode Conclusion T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 4 / 32

  6. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Outline TBCs and AE Generic Composition: the NSIV Method Authentication: the EPWC Mode Encryption: the CTRT Mode Conclusion T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 5 / 32

  7. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Building Block: Tweakable Block Ciphers (TBCs) X � E K Y • tweak T : brings variability to the block cipher • T assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 6 / 32

  8. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Building Block: Tweakable Block Ciphers (TBCs) X � T E K Y • tweak T : brings variability to the block cipher • T assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 6 / 32

  9. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Building Block: Tweakable Block Ciphers (TBCs) X � T E K Y • tweak T : brings variability to the block cipher • T assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 6 / 32

  10. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Building Block: Tweakable Block Ciphers (TBCs) X � T E K Y • tweak T : brings variability to the block cipher • T assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 6 / 32

  11. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Building Block: Tweakable Block Ciphers (TBCs) X � T E K Y • tweak T : brings variability to the block cipher • T assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 6 / 32

  12. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Building Block: Tweakable Block Ciphers (TBCs) X � T E K Y • tweak T : brings variability to the block cipher • T assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 6 / 32

  13. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Building Block: Tweakable Block Ciphers (TBCs) X � T E K Y • tweak T : brings variability to the block cipher • T assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 6 / 32

  14. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Building Block: Tweakable Block Ciphers (TBCs) X � T E K Y • tweak T : brings variability to the block cipher • T assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 6 / 32

  15. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Building Block: Tweakable Block Ciphers (TBCs) X � T E K Y • tweak T : brings variability to the block cipher • T assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threefish [FLS + 10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 6 / 32

  16. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Goal: Nonce-Based Authenticated Encryption (nAE) Syntax A nAE scheme Π is a pair of algorithms (Π . Enc , Π . Dec ) where • algorithm Π . Enc takes • (a key K ) • a nonce N • associated data A • a message M and returns a ciphertext C . • algorithm Π . Dec takes K and ( N , A , C ) and returns M or ⊥ . T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 7 / 32

  17. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Goal: Nonce-Based Authenticated Encryption (nAE) Enc K ( · , · , · ) Dec K ( · , · , · ) $( · , · , · ) ⊥ ( · , · , · ) ( N , A , M ) ( N , A , C ) ( N , A , M ) ( N , A , C ) A A 0 / 1 0 / 1 Security (all-in-one definition) • The scheme Π is secure if adversary A cannot distinguish ( Enc K , Dec K ) and ($ , ⊥ ) . • A cannot ask a decryption query ( N , A , C ) if it received C from an encryption query ( N , A , M ) • A is said nonce-respecting if it never repeats a nonce in encryption queries. T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 8 / 32

  18. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Misuse-Resistant AE (MRAE) Nonce-misuse resistance (informal) [RS06] A nAE scheme is said nonce-misuse resistant if repeating a nonce in encryption queries: • does not harm authenticity • hurts confidentiality only insofar as repetitions of triplets ( N , A , M ) are detectable • ≃ deterministic authenticated encryption • MRAE schemes cannot be online (each ciphertext bit must depend on each input bit) T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 9 / 32

  19. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Misuse-Resistant AE (MRAE) Nonce-misuse resistance (informal) [RS06] A nAE scheme is said nonce-misuse resistant if repeating a nonce in encryption queries: • does not harm authenticity • hurts confidentiality only insofar as repetitions of triplets ( N , A , M ) are detectable • ≃ deterministic authenticated encryption • MRAE schemes cannot be online (each ciphertext bit must depend on each input bit) T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 9 / 32

  20. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Misuse-Resistant AE (MRAE) Nonce-misuse resistance (informal) [RS06] A nAE scheme is said nonce-misuse resistant if repeating a nonce in encryption queries: • does not harm authenticity • hurts confidentiality only insofar as repetitions of triplets ( N , A , M ) are detectable • ≃ deterministic authenticated encryption • MRAE schemes cannot be online (each ciphertext bit must depend on each input bit) T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 9 / 32

  21. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Outline TBCs and AE Generic Composition: the NSIV Method Authentication: the EPWC Mode Encryption: the CTRT Mode Conclusion T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 10 / 32

  22. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Generic Composition Starting from two building blocks: • a MAC (or a PRF) F K 1 ( · , · , · ) • an encryption scheme Enc K 2 ( · , · ) combine them to obtain a nAE scheme [BN00, NRS14]. Two types of encryption schemes: • (random) IV-based encryption (ivE): C = Enc K 2 ( IV , M ) , IV randomly chosen by the encryption oracle (ex: CBC) • nonce-based encryption (nE): C = Enc K 2 ( N , M ) , N chosen by the adversary but non-repeating (ex: nonce-based CTR mode, GCM) T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 11 / 32

  23. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Generic Composition Starting from two building blocks: • a MAC (or a PRF) F K 1 ( · , · , · ) • an encryption scheme Enc K 2 ( · , · ) combine them to obtain a nAE scheme [BN00, NRS14]. Two types of encryption schemes: • (random) IV-based encryption (ivE): C = Enc K 2 ( IV , M ) , IV randomly chosen by the encryption oracle (ex: CBC) • nonce-based encryption (nE): C = Enc K 2 ( N , M ) , N chosen by the adversary but non-repeating (ex: nonce-based CTR mode, GCM) T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 11 / 32

  24. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Generic Composition Starting from two building blocks: • a MAC (or a PRF) F K 1 ( · , · , · ) • an encryption scheme Enc K 2 ( · , · ) combine them to obtain a nAE scheme [BN00, NRS14]. Two types of encryption schemes: • (random) IV-based encryption (ivE): C = Enc K 2 ( IV , M ) , IV randomly chosen by the encryption oracle (ex: CBC) • nonce-based encryption (nE): C = Enc K 2 ( N , M ) , N chosen by the adversary but non-repeating (ex: nonce-based CTR mode, GCM) T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 11 / 32

  25. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Generic Composition Starting from two building blocks: • a MAC (or a PRF) F K 1 ( · , · , · ) • an encryption scheme Enc K 2 ( · , · ) combine them to obtain a nAE scheme [BN00, NRS14]. Two types of encryption schemes: • (random) IV-based encryption (ivE): C = Enc K 2 ( IV , M ) , IV randomly chosen by the encryption oracle (ex: CBC) • nonce-based encryption (nE): C = Enc K 2 ( N , M ) , N chosen by the adversary but non-repeating (ex: nonce-based CTR mode, GCM) T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 11 / 32

  26. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion From SIV to NSIV N A M Π . Enc K 2 F K 1 • SIV ( Synthetic IV ) [RS06] combines a PRF F K 1 ( N , A , M ) and an IV-based encryption scheme Π . Enc K 2 ( IV , M ) • provides nonce-misuse resistance up to the birthday-bound from birthday-secure components (e.g. CMAC + CTR encryption) • what about BBB-security in the nonce-respecting case? T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 12 / 32

  27. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion From SIV to NSIV N A M Π . Enc K 2 F K 1 tag • SIV ( Synthetic IV ) [RS06] combines a PRF F K 1 ( N , A , M ) and an IV-based encryption scheme Π . Enc K 2 ( IV , M ) • provides nonce-misuse resistance up to the birthday-bound from birthday-secure components (e.g. CMAC + CTR encryption) • what about BBB-security in the nonce-respecting case? T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 12 / 32

  28. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion From SIV to NSIV N A M Π . Enc K 2 Conv IV F K 1 tag • SIV ( Synthetic IV ) [RS06] combines a PRF F K 1 ( N , A , M ) and an IV-based encryption scheme Π . Enc K 2 ( IV , M ) • provides nonce-misuse resistance up to the birthday-bound from birthday-secure components (e.g. CMAC + CTR encryption) • what about BBB-security in the nonce-respecting case? T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 12 / 32

  29. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion From SIV to NSIV N A M Π . Enc K 2 Conv IV F K 1 tag C • SIV ( Synthetic IV ) [RS06] combines a PRF F K 1 ( N , A , M ) and an IV-based encryption scheme Π . Enc K 2 ( IV , M ) • provides nonce-misuse resistance up to the birthday-bound from birthday-secure components (e.g. CMAC + CTR encryption) • what about BBB-security in the nonce-respecting case? T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 12 / 32

  30. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion From SIV to NSIV N A M Π . Enc K 2 Conv IV F K 1 tag C • SIV ( Synthetic IV ) [RS06] combines a PRF F K 1 ( N , A , M ) and an IV-based encryption scheme Π . Enc K 2 ( IV , M ) • provides nonce-misuse resistance up to the birthday-bound from birthday-secure components (e.g. CMAC + CTR encryption) • what about BBB-security in the nonce-respecting case? T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 12 / 32

  31. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion From SIV to NSIV N A M Π . Enc K 2 Conv IV F K 1 tag C • SIV ( Synthetic IV ) [RS06] combines a PRF F K 1 ( N , A , M ) and an IV-based encryption scheme Π . Enc K 2 ( IV , M ) • provides nonce-misuse resistance up to the birthday-bound from birthday-secure components (e.g. CMAC + CTR encryption) • what about BBB-security in the nonce-respecting case? T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 12 / 32

  32. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion From SIV to NSIV N A M Π . Enc K 2 Conv IV F K 1 tag C • SIV ( Synthetic IV ) [RS06] combines a PRF F K 1 ( N , A , M ) and an IV-based encryption scheme Π . Enc K 2 ( IV , M ) • provides nonce-misuse resistance up to the birthday-bound from birthday-secure components (e.g. CMAC + CTR encryption) • what about BBB-security in the nonce-respecting case? ⇒ Re-use the nonce N in the encryption scheme! T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 12 / 32

  33. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Combined Nonce and IV-based (nivE) Encryption N A M Π . Enc K 2 Conv IV F K 1 tag C • the encryption algorithm Π . Enc takes a nonce and a random IV! • security definition: ciphertexts must be indist. from random, assuming nonces do not repeat and IV is random • NB: when nonces can be repeated, ≃ (family of) standard IV-based encryption scheme T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 13 / 32

  34. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Combined Nonce and IV-based (nivE) Encryption N A M Π . Enc K 2 Conv IV F K 1 tag C • the encryption algorithm Π . Enc takes a nonce and a random IV! • security definition: ciphertexts must be indist. from random, assuming nonces do not repeat and IV is random • NB: when nonces can be repeated, ≃ (family of) standard IV-based encryption scheme T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 13 / 32

  35. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Combined Nonce and IV-based (nivE) Encryption N A M Π . Enc K 2 Conv IV F K 1 tag C • the encryption algorithm Π . Enc takes a nonce and a random IV! • security definition: ciphertexts must be indist. from random, assuming nonces do not repeat and IV is random • NB: when nonces can be repeated, ≃ (family of) standard IV-based encryption scheme T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 13 / 32

  36. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Combined Nonce and IV-based (nivE) Encryption N A M Π . Enc K 2 Conv IV F K 1 tag C • the encryption algorithm Π . Enc takes a nonce and a random IV! • security definition: ciphertexts must be indist. from random, assuming nonces do not repeat and IV is random • NB: when nonces can be repeated, ≃ (family of) standard IV-based encryption scheme T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 13 / 32

  37. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Combined Nonce and IV-based (nivE) Encryption N A M Π . Enc K 2 Conv IV F K 1 tag C • the encryption algorithm Π . Enc takes a nonce and a random IV! • security definition: ciphertexts must be indist. from random, assuming nonces do not repeat and IV is random • NB: when nonces can be repeated, ≃ (family of) standard IV-based encryption scheme T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 13 / 32

  38. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Security Result for NSIV N A M Π . Enc K 2 Conv IV F K 1 tag C Theorem For any adversary A against NSIV [ F , Π] , Adv nAE NSIV ( A ) ≤ Adv nivE ( A ′ ) + Adv nPRF ( A ′′ ) + Adv nMAC ( A ′′′ ) . Π F F Moreover, if A repeats any nonce at most m times, then A ′ , A ′′ , and A ′′′ also repeat any nonce at most m times. T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 14 / 32

  39. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Instantiating F and Π N A M Π . Enc K 2 Conv IV F K 1 tag C Remaining of the talk: How to instantiate the PRF F and the nivE encryption scheme Π from a TBC � E so that • we get BBB-security in the nonce-respecting setting • we retain birthday-bound security in the nonce-misuse setting T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 15 / 32

  40. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Outline TBCs and AE Generic Composition: the NSIV Method Authentication: the EPWC Mode Encryption: the CTRT Mode Conclusion T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 16 / 32

  41. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion The EPWC ( Encrypted Parallel Wegman-Carter ) Mode 0 1 2 3 4 N N A 1 A 2 A 3 10 ∗ � � � � E 2 / 3 E 2 E 2 E 2 E 2 � K K K K K auth 1 2 3 4 5 M 1 M 2 M 3 M 4 M 5 10 ∗ � � � � � E 4 / 5 � E 4 E 4 E 4 E 4 E 4 0 K K K K K K tag auth T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 17 / 32

  42. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion The EPWC ( Encrypted Parallel Wegman-Carter ) Mode 0 1 2 3 4 N N A 1 A 2 A 3 10 ∗ � � � � E 2 / 3 E 2 E 2 E 2 E 2 � K K K K K PRF ( N ) auth 1 2 3 4 5 M 1 M 2 M 3 M 4 M 5 10 ∗ � � � � � E 4 / 5 � E 4 E 4 E 4 E 4 E 4 0 K K K K K K tag auth T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 17 / 32

  43. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion The EPWC ( Encrypted Parallel Wegman-Carter ) Mode 0 1 2 3 4 N N A 1 A 2 A 3 10 ∗ � � � � E 2 / 3 E 2 E 2 E 2 E 2 � K K K K K auth PHASH ( A , M ) 1 2 3 4 5 M 1 M 2 M 3 M 4 M 5 10 ∗ � � � � � E 4 / 5 � E 4 E 4 E 4 E 4 E 4 0 K K K K K K tag auth T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 17 / 32

  44. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion The EPWC ( Encrypted Parallel Wegman-Carter ) Mode 0 1 2 3 4 N N A 1 A 2 A 3 10 ∗ � � � � E 2 / 3 E 2 E 2 E 2 E 2 � K K K K K auth Final encryption (nonce- 1 2 3 4 5 misuse resistance) M 1 M 2 M 3 M 4 M 5 10 ∗ � � � � E 4 / 5 � � E 4 E 4 E 4 E 4 E 4 0 K K K K K K tag auth T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 17 / 32

  45. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Security of EPWC Theorem Let A be an adversary against EPWC with an ideal TBC with block-length n making at most q queries. Then (a) If A is nonce-respecting, � q � q � � Adv nPRF Adv nMAC EPWC ( A ) ≤ O , EPWC ( A ) ≤ O . 2 n 2 n (b) If A is allowed to repeat nonces, then EPWC ( A ) ≤ q 2 + q EPWC ( A ) ≤ q 2 Adv PRF Adv MAC 2 n , . 2 n T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 18 / 32

  46. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Outline TBCs and AE Generic Composition: the NSIV Method Authentication: the EPWC Mode Encryption: the CTRT Mode Conclusion T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 19 / 32

  47. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion The CTRT ( CounTeR-in-Tweak ) Encryption Mode � � � � � E K E K E K E K E K M 1 M 2 M 3 M 4 M 5 C 1 C 2 C 3 C 4 C 5 • how to build a counter-like nivE encryption scheme? • nonce in the tweak ⇒ birthday attack! • switch inputs: nonce in “message input” and counter in tweak • key observation: T �→ � E K ( T , N ) is a pseudorandom function T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 20 / 32

  48. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion The CTRT ( CounTeR-in-Tweak ) Encryption Mode IV + 1 IV + 2 IV + 3 IV + 4 IV � � � � � E K E K E K E K E K M 1 M 2 M 3 M 4 M 5 C 1 C 2 C 3 C 4 C 5 • how to build a counter-like nivE encryption scheme? • nonce in the tweak ⇒ birthday attack! • switch inputs: nonce in “message input” and counter in tweak • key observation: T �→ � E K ( T , N ) is a pseudorandom function T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 20 / 32

  49. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion The CTRT ( CounTeR-in-Tweak ) Encryption Mode N N N N N IV + 1 IV + 2 IV + 3 IV + 4 IV � � � � � E K E K E K E K E K M 1 M 2 M 3 M 4 M 5 C 1 C 2 C 3 C 4 C 5 • how to build a counter-like nivE encryption scheme? • nonce in the tweak ⇒ birthday attack! • switch inputs: nonce in “message input” and counter in tweak • key observation: T �→ � E K ( T , N ) is a pseudorandom function T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 20 / 32

  50. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion The CTRT ( CounTeR-in-Tweak ) Encryption Mode IV IV + 1 IV + 2 IV + 3 IV + 4 N N N N N � � � � � E K E K E K E K E K M 1 M 2 M 3 M 4 M 5 C 1 C 2 C 3 C 4 C 5 • how to build a counter-like nivE encryption scheme? • nonce in the tweak ⇒ birthday attack! • switch inputs: nonce in “message input” and counter in tweak • key observation: T �→ � E K ( T , N ) is a pseudorandom function T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 20 / 32

  51. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion The CTRT ( CounTeR-in-Tweak ) Encryption Mode IV IV + 1 IV + 2 IV + 3 IV + 4 N N N N N � � � � � E K E K E K E K E K M 1 M 2 M 3 M 4 M 5 C 1 C 2 C 3 C 4 C 5 • how to build a counter-like nivE encryption scheme? • nonce in the tweak ⇒ birthday attack! • switch inputs: nonce in “message input” and counter in tweak • key observation: T �→ � E K ( T , N ) is a pseudorandom function T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 20 / 32

  52. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Security of CTRT Theorem • n = block-length • t = tweak-length • σ = total length of queries (in n-bit blocks) • m = maximal number of repetitions of any nonce 2 t + 2 σ log 2 σ CTRT ( A ) ≤ 2 ( m − 1 ) σ + 1 Adv nivE when σ ≤ 2 t , 2 t 2 n + 2 t 2 σ 2 when σ ≥ 2 t . 2 n + t security up to σ ≃ min { 2 n , 2 ( n + t ) / 2 } • nonce-respecting ( m = 1): • security degrades “gracefully” with the maximal number of nonce repetitions m T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 21 / 32

  53. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Security of CTRT Theorem • n = block-length • t = tweak-length • σ = total length of queries (in n-bit blocks) • m = maximal number of repetitions of any nonce 2 t + 2 σ log 2 σ CTRT ( A ) ≤ 2 ( m − 1 ) σ + 1 Adv nivE when σ ≤ 2 t , 2 t 2 n + 2 t 2 σ 2 when σ ≥ 2 t . 2 n + t security up to σ ≃ min { 2 n , 2 ( n + t ) / 2 } • nonce-respecting ( m = 1): • security degrades “gracefully” with the maximal number of nonce repetitions m T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 21 / 32

  54. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Security of CTRT Theorem • n = block-length • t = tweak-length • σ = total length of queries (in n-bit blocks) • m = maximal number of repetitions of any nonce 2 t + 2 σ log 2 σ 1 Adv nivE when σ ≤ 2 t , CTRT ( A ) ≤ 2 n + 2 t 2 σ 2 when σ ≥ 2 t . 2 n + t security up to σ ≃ min { 2 n , 2 ( n + t ) / 2 } • nonce-respecting ( m = 1): • security degrades “gracefully” with the maximal number of nonce repetitions m T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 21 / 32

  55. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Security of CTRT Theorem • n = block-length • t = tweak-length • σ = total length of queries (in n-bit blocks) • m = maximal number of repetitions of any nonce 2 t + 2 σ log 2 σ 1 Adv nivE when σ ≤ 2 t , CTRT ( A ) ≤ 2 n + 2 t 2 σ 2 when σ ≥ 2 t . 2 n + t security up to σ ≃ min { 2 n , 2 ( n + t ) / 2 } • nonce-respecting ( m = 1): • security degrades “gracefully” with the maximal number of nonce repetitions m T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 21 / 32

  56. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Security of CTRT Theorem • n = block-length • t = tweak-length • σ = total length of queries (in n-bit blocks) • m = maximal number of repetitions of any nonce 2 t + 2 σ log 2 σ CTRT ( A ) ≤ 2 ( m − 1 ) σ + 1 Adv nivE when σ ≤ 2 t , 2 t 2 n + 2 t 2 σ 2 when σ ≥ 2 t . 2 n + t security up to σ ≃ min { 2 n , 2 ( n + t ) / 2 } • nonce-respecting ( m = 1): • security degrades “gracefully” with the maximal number of nonce repetitions m T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 21 / 32

  57. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) IV IV + 1 IV + 2 IV + 3 IV + 4 N N N N N � � � � � E K E K E K E K E K M 1 M 2 M 3 M 4 M 5 C 1 C 2 C 3 C 4 C 5 • assume first that nonces are never repeated • we want to show that ciphertexts are indist. from random • each random IV determines the sequence of tweaks ( IV , IV + 1 , . . . ) used in the TBC • for each tweak T ∈ T , let L ( T ) (“load”) be the number of times the tweak T has been used throughout encryption queries T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 22 / 32

  58. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) IV IV + 1 IV + 2 IV + 3 IV + 4 N N N N N � � � � � E K E K E K E K E K M 1 M 2 M 3 M 4 M 5 C 1 C 2 C 3 C 4 C 5 • assume first that nonces are never repeated • we want to show that ciphertexts are indist. from random • each random IV determines the sequence of tweaks ( IV , IV + 1 , . . . ) used in the TBC • for each tweak T ∈ T , let L ( T ) (“load”) be the number of times the tweak T has been used throughout encryption queries T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 22 / 32

  59. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) IV IV + 1 IV + 2 IV + 3 IV + 4 N N N N N � � � � � E K E K E K E K E K M 1 M 2 M 3 M 4 M 5 C 1 C 2 C 3 C 4 C 5 • assume first that nonces are never repeated • we want to show that ciphertexts are indist. from random • each random IV determines the sequence of tweaks ( IV , IV + 1 , . . . ) used in the TBC • for each tweak T ∈ T , let L ( T ) (“load”) be the number of times the tweak T has been used throughout encryption queries T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 22 / 32

  60. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) IV IV + 1 IV + 2 IV + 3 IV + 4 N N N N N � � � � � E K E K E K E K E K M 1 M 2 M 3 M 4 M 5 C 1 C 2 C 3 C 4 C 5 • assume first that nonces are never repeated • we want to show that ciphertexts are indist. from random • each random IV determines the sequence of tweaks ( IV , IV + 1 , . . . ) used in the TBC • for each tweak T ∈ T , let L ( T ) (“load”) be the number of times the tweak T has been used throughout encryption queries T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 22 / 32

  61. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) IV IV + 1 IV + 2 IV + 3 IV + 4 N N N N N � � � � � E K E K E K E K E K M 1 M 2 M 3 M 4 M 5 C 1 C 2 C 3 C 4 C 5 • for each tweak, we have an independent PRF/PRP distinguishing problem with L ( T ) “queries” (nonces): � L ( T ) 2 2 · 2 n ≤ min { σ, 2 t } · ( L max ) 2 Adv ( A ) ≤ 2 · 2 n T ∈T • upper bound on L max = max L ( T ) : “balls-into-bins” problem T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 23 / 32

  62. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) IV IV + 1 IV + 2 IV + 3 IV + 4 N N N N N � � � � � E K E K E K E K E K M 1 M 2 M 3 M 4 M 5 C 1 C 2 C 3 C 4 C 5 • for each tweak, we have an independent PRF/PRP distinguishing problem with L ( T ) “queries” (nonces): � L ( T ) 2 2 · 2 n ≤ min { σ, 2 t } · ( L max ) 2 Adv ( A ) ≤ 2 · 2 n T ∈T • upper bound on L max = max L ( T ) : “balls-into-bins” problem T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 23 / 32

  63. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 • 2 t bins = tweak values • σ balls = nonces • for each query, the random IV determines in which (consecutive) bins the nonces are thrown • except with probability 1 / 2 t , one has (a) if σ ≤ 2 t , then max L ( T ) ≤ 2 log σ ; (b) if σ ≥ 2 t , then max L ( T ) ≤ 2 t σ 2 t . T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 24 / 32

  64. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 • 2 t bins = tweak values • σ balls = nonces • for each query, the random IV determines in which (consecutive) bins the nonces are thrown • except with probability 1 / 2 t , one has (a) if σ ≤ 2 t , then max L ( T ) ≤ 2 log σ ; (b) if σ ≥ 2 t , then max L ( T ) ≤ 2 t σ 2 t . T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 24 / 32

  65. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N 1 • 2 t bins = tweak values • σ balls = nonces • for each query, the random IV determines in which (consecutive) bins the nonces are thrown • except with probability 1 / 2 t , one has (a) if σ ≤ 2 t , then max L ( T ) ≤ 2 log σ ; (b) if σ ≥ 2 t , then max L ( T ) ≤ 2 t σ 2 t . T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 24 / 32

  66. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N 2 N 1 • 2 t bins = tweak values • σ balls = nonces • for each query, the random IV determines in which (consecutive) bins the nonces are thrown • except with probability 1 / 2 t , one has (a) if σ ≤ 2 t , then max L ( T ) ≤ 2 log σ ; (b) if σ ≥ 2 t , then max L ( T ) ≤ 2 t σ 2 t . T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 24 / 32

  67. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N 3 N 2 N 1 • 2 t bins = tweak values • σ balls = nonces • for each query, the random IV determines in which (consecutive) bins the nonces are thrown • except with probability 1 / 2 t , one has (a) if σ ≤ 2 t , then max L ( T ) ≤ 2 log σ ; (b) if σ ≥ 2 t , then max L ( T ) ≤ 2 t σ 2 t . T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 24 / 32

  68. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N 4 N 3 N 2 N 1 • 2 t bins = tweak values • σ balls = nonces • for each query, the random IV determines in which (consecutive) bins the nonces are thrown • except with probability 1 / 2 t , one has (a) if σ ≤ 2 t , then max L ( T ) ≤ 2 log σ ; (b) if σ ≥ 2 t , then max L ( T ) ≤ 2 t σ 2 t . T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 24 / 32

  69. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N 5 N 4 N 3 N 2 N 1 • 2 t bins = tweak values • σ balls = nonces • for each query, the random IV determines in which (consecutive) bins the nonces are thrown • except with probability 1 / 2 t , one has (a) if σ ≤ 2 t , then max L ( T ) ≤ 2 log σ ; (b) if σ ≥ 2 t , then max L ( T ) ≤ 2 t σ 2 t . T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 24 / 32

  70. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-respecting) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N 5 N 4 N 3 N 2 N 1 • 2 t bins = tweak values • σ balls = nonces • for each query, the random IV determines in which (consecutive) bins the nonces are thrown • except with probability 1 / 2 t , one has (a) if σ ≤ 2 t , then max L ( T ) ≤ 2 log σ ; (b) if σ ≥ 2 t , then max L ( T ) ≤ 2 t σ 2 t . T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 24 / 32

  71. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-misuse) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 • bad event that allows to distinguish outputs from random: ∃ two encryption queries with the same nonce and a common tweak (counter) • for two messages of length ℓ and ℓ ′ , happens with proba. ( ℓ + ℓ ′ − 1 ) / 2 t • yields the term ( m − 1 ) σ/ 2 t in the security bound T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 25 / 32

  72. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-misuse) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N • bad event that allows to distinguish outputs from random: ∃ two encryption queries with the same nonce and a common tweak (counter) • for two messages of length ℓ and ℓ ′ , happens with proba. ( ℓ + ℓ ′ − 1 ) / 2 t • yields the term ( m − 1 ) σ/ 2 t in the security bound T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 25 / 32

  73. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-misuse) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N N • bad event that allows to distinguish outputs from random: ∃ two encryption queries with the same nonce and a common tweak (counter) • for two messages of length ℓ and ℓ ′ , happens with proba. ( ℓ + ℓ ′ − 1 ) / 2 t • yields the term ( m − 1 ) σ/ 2 t in the security bound T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 25 / 32

  74. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-misuse) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N N N • bad event that allows to distinguish outputs from random: ∃ two encryption queries with the same nonce and a common tweak (counter) • for two messages of length ℓ and ℓ ′ , happens with proba. ( ℓ + ℓ ′ − 1 ) / 2 t • yields the term ( m − 1 ) σ/ 2 t in the security bound T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 25 / 32

  75. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-misuse) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N N N • bad event that allows to distinguish outputs from random: ∃ two encryption queries with the same nonce and a common tweak (counter) • for two messages of length ℓ and ℓ ′ , happens with proba. ( ℓ + ℓ ′ − 1 ) / 2 t • yields the term ( m − 1 ) σ/ 2 t in the security bound T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 25 / 32

  76. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-misuse) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N N N • bad event that allows to distinguish outputs from random: ∃ two encryption queries with the same nonce and a common tweak (counter) • for two messages of length ℓ and ℓ ′ , happens with proba. ( ℓ + ℓ ′ − 1 ) / 2 t • yields the term ( m − 1 ) σ/ 2 t in the security bound T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 25 / 32

  77. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Proof of Security of CTRT (nonce-misuse) T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 N N N • bad event that allows to distinguish outputs from random: ∃ two encryption queries with the same nonce and a common tweak (counter) • for two messages of length ℓ and ℓ ′ , happens with proba. ( ℓ + ℓ ′ − 1 ) / 2 t • yields the term ( m − 1 ) σ/ 2 t in the security bound T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 25 / 32

  78. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Outline TBCs and AE Generic Composition: the NSIV Method Authentication: the EPWC Mode Encryption: the CTRT Mode Conclusion T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 26 / 32

  79. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Wrap-up and Final Remarks • EPWC + CTRT combined using the NSIV composition method = SCT ( Synthetic Counter in Tweak ) mode • BBB-secure in the nonce-respecting setting • retains birthday-bound security in the nonce-misuse setting • parallel, quite efficient, does not need the decryption direction • instantiation of the TBC: needs to be BBB-secure! ⇒ XEX does not work ⇒ use ad-hoc TBCs such as Deoxys-BC and Joltik-BC T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 27 / 32

  80. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Wrap-up and Final Remarks • EPWC + CTRT combined using the NSIV composition method = SCT ( Synthetic Counter in Tweak ) mode • BBB-secure in the nonce-respecting setting • retains birthday-bound security in the nonce-misuse setting • parallel, quite efficient, does not need the decryption direction • instantiation of the TBC: needs to be BBB-secure! ⇒ XEX does not work ⇒ use ad-hoc TBCs such as Deoxys-BC and Joltik-BC T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 27 / 32

  81. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Wrap-up and Final Remarks • EPWC + CTRT combined using the NSIV composition method = SCT ( Synthetic Counter in Tweak ) mode • BBB-secure in the nonce-respecting setting • retains birthday-bound security in the nonce-misuse setting • parallel, quite efficient, does not need the decryption direction • instantiation of the TBC: needs to be BBB-secure! ⇒ XEX does not work ⇒ use ad-hoc TBCs such as Deoxys-BC and Joltik-BC T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 27 / 32

  82. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Wrap-up and Final Remarks • EPWC + CTRT combined using the NSIV composition method = SCT ( Synthetic Counter in Tweak ) mode • BBB-secure in the nonce-respecting setting • retains birthday-bound security in the nonce-misuse setting • parallel, quite efficient, does not need the decryption direction • instantiation of the TBC: needs to be BBB-secure! ⇒ XEX does not work ⇒ use ad-hoc TBCs such as Deoxys-BC and Joltik-BC T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 27 / 32

  83. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Wrap-up and Final Remarks • EPWC + CTRT combined using the NSIV composition method = SCT ( Synthetic Counter in Tweak ) mode • BBB-secure in the nonce-respecting setting • retains birthday-bound security in the nonce-misuse setting • parallel, quite efficient, does not need the decryption direction • instantiation of the TBC: needs to be BBB-secure! ⇒ XEX does not work ⇒ use ad-hoc TBCs such as Deoxys-BC and Joltik-BC T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 27 / 32

  84. TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion The end. . . Thanks for your attention! Comments or questions? T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 28 / 32

  85. References References I Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Elmar Tischhauser, and Kan Yasuda. Parallelizable and Authenticated Online Ciphers. In Kazue Sako and Palash Sarkar, editors, Advances in Cryptology - ASIACRYPT 2013 (Proceedings, Part I) , volume 8269 of LNCS , pages 424–443. Springer, 2013. Mihir Bellare and Chanathip Namprempre. Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In Tatsuaki Okamoto, editor, Advances in Cryptology - ASIACRYPT 2000 , volume 1976 of LNCS , pages 531–545. Springer, 2000. Paul Crowley. Mercy: A Fast Large Block Cipher for Disk Sector Encryption. In Bruce Schneier, editor, Fast Software Encryption - FSE 2000 , volume 1978 of LNCS , pages 49–63. Springer, 2000. Ewan Fleischmann, Christian Forler, and Stefan Lucks. McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes. In Anne Canteaut, editor, Fast Software Encryption - FSE 2012 , volume 7549 of LNCS , pages 196–215. Springer, 2012. T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 29 / 32

  86. References References II Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker. The Skein Hash Function Family. SHA3 Submission to NIST (Round 3), 2010. Viet Tung Hoang, Ted Krovetz, and Phillip Rogaway. Robust Authenticated-Encryption: AEZ and the Problem That It Solves. In Elisabeth Oswald and Marc Fischlin, editors, Advances in Cryptology - EUROCRYPT 2015 (Proceedings, Part I) , volume 9056 of LNCS , pages 15–44. Springer, 2015. Viet Tung Hoang, Reza Reyhanitabar, Phillip Rogaway, and Damian Vizár. Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance. In Rosario Gennaro and Matthew Robshaw, editors, Advances in Cryptology - CRYPTO 2015 (Proceedings, Part I) , volume 9215 of LNCS , pages 493–517. Springer, 2015. Ted Krovetz and Phillip Rogaway. The Software Performance of Authenticated-Encryption Modes. In Antoine Joux, editor, Fast Software Encryption - FSE 2011 , volume 6733 of LNCS , pages 306–327. Springer, 2011. T. Peyrin, Y. Seurin Counter-in-Tweak CRYPTO 2016 30 / 32

Recommend

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov Martin M. Lauridsen Elmar Tischhauser mmeh @ dtu.dk DTU Compute, Technical University of Denmark DIAC 2014 Santa Barbara, August 24, 2014 Context

540 views • 19 slides
The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15 Modes of Operation p E K F K E K 2 / 15 Modes of Operation p E K F K

428 views • 42 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1

Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit

663 views • 35 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides
So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity separately: Goal Primitive Security notion Data privacy symmetric encryption IND-CPA Data authenticity MAC UF-CMA Mihir Bellare UCSD 1

105 views • 9 slides
Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

On A SCON and I SAP About Two Authenticated Encryption Schemes Christoph Dobraunig October 2018 Designed by: . Mendel, M. Schl A SCON : C. Dobraunig, M. Eichlseder, F affer I SAP : C. Dobraunig, M. Eichlseder, S. Mangard, F . Mendel, T.

987 views • 40 slides
Authenticated Encryption in TLS Same modelling Poor TLS track record & verification

Authenticated Encryption in TLS Same modelling Poor TLS track record & verification

Authenticated Encryption in TLS Same modelling Poor TLS track record & verification approach - Many implementation flaws - Attacks on weak cryptography concrete security: each lossy step (MD5, SHA1, ) documented by a game and a

514 views • 27 slides
Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated

Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated

Desiderata Current AEAD use Evolution Conclusions Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated Ciphers, 2012 Desiderata Current AEAD use Evolution Conclusions Many desirable attributes

284 views • 26 slides
On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in (Partially based on joint work with Debrup Chakraborty) Directions

1.01k views • 61 slides
AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity

922 views • 73 slides

More recommend