ewcdm an efficient beyond birthday secure nonce misuse
play

EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant - PowerPoint PPT Presentation

Mar 02, 2024 •264 likes •980 views

Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benot Cogliati 1 Yannick Seurin 2 1 University of Versailles, France 2 ANSSI, France

  1. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC Benoît Cogliati 1 Yannick Seurin 2 1 University of Versailles, France 2 ANSSI, France August 15, 2016 — CRYPTO 2016 B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 1 / 26

  2. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion Summary of our Contribution We propose a new Wegman-Carter-style MAC, called Encrypted Wegman Carter with Davies-Meyer, based on a xor-universal hash function and a block cipher, with the following properties: 1. it is efficient (two block cipher calls, one of which can be computed in parallel to the hash) 2. it is secure beyond the birthday-bound when nonces are not repeated 3. it retains security up to the birthday bound when nonces are reused B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 2 / 26

  3. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion Summary of our Contribution We propose a new Wegman-Carter-style MAC, called Encrypted Wegman Carter with Davies-Meyer, based on a xor-universal hash function and a block cipher, with the following properties: 1. it is efficient (two block cipher calls, one of which can be computed in parallel to the hash) 2. it is secure beyond the birthday-bound when nonces are not repeated 3. it retains security up to the birthday bound when nonces are reused B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 2 / 26

  4. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion Summary of our Contribution We propose a new Wegman-Carter-style MAC, called Encrypted Wegman Carter with Davies-Meyer, based on a xor-universal hash function and a block cipher, with the following properties: 1. it is efficient (two block cipher calls, one of which can be computed in parallel to the hash) 2. it is secure beyond the birthday-bound when nonces are not repeated 3. it retains security up to the birthday bound when nonces are reused B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 2 / 26

  5. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion Summary of our Contribution We propose a new Wegman-Carter-style MAC, called Encrypted Wegman Carter with Davies-Meyer, based on a xor-universal hash function and a block cipher, with the following properties: 1. it is efficient (two block cipher calls, one of which can be computed in parallel to the hash) 2. it is secure beyond the birthday-bound when nonces are not repeated 3. it retains security up to the birthday bound when nonces are reused B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 2 / 26

  6. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion Outline Background on Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 3 / 26

  7. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion Outline Background on Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 4 / 26

  8. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion (Nonce-Based) Message Authentication Codes ( N , M , T ) T = MAC K ( N , M ) MAC K ( N , M ) = T ? Security Definition The adversary is allowed • q m MAC queries T = MAC K ( N , M ) • q v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . The adversary is said nonce-respecting if it does not repeat nonces in MAC queries. B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 5 / 26

  9. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion (Nonce-Based) Message Authentication Codes ( N , M , T ) ( N , M , T ) T = MAC K ( N , M ) MAC K ( N , M ) = T ? Security Definition The adversary is allowed • q m MAC queries T = MAC K ( N , M ) • q v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . The adversary is said nonce-respecting if it does not repeat nonces in MAC queries. B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 5 / 26

  10. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion (Nonce-Based) Message Authentication Codes ( N , M , T ) ( N ′ , M ′ , T ′ ) T = MAC K ( N , M ) MAC K ( N , M ) = T ? Security Definition The adversary is allowed • q m MAC queries T = MAC K ( N , M ) • q v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . The adversary is said nonce-respecting if it does not repeat nonces in MAC queries. B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 5 / 26

  11. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion (Nonce-Based) Message Authentication Codes ( N , M , T ) ( N ′ , M ′ , T ′ ) T = MAC K ( N , M ) MAC K ( N , M ) = T ? Security Definition The adversary is allowed • q m MAC queries T = MAC K ( N , M ) • q v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . The adversary is said nonce-respecting if it does not repeat nonces in MAC queries. B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 5 / 26

  12. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion (Nonce-Based) Message Authentication Codes ( N , M , T ) ( N ′ , M ′ , T ′ ) T = MAC K ( N , M ) MAC K ( N , M ) = T ? Security Definition The adversary is allowed • q m MAC queries T = MAC K ( N , M ) • q v verification queries (forgery attempts) ( N ′ , M ′ , T ′ ) and is successful if one of the verification queries ( N ′ , M ′ , T ′ ) passes and no previous MAC query ( N ′ , M ′ ) returned T ′ . The adversary is said nonce-respecting if it does not repeat nonces in MAC queries. B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 5 / 26

  13. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion Wegman-Carter MACs [GMS74, WC81] M H K one-time pad T • based on an ε -almost xor-universal ( ε -AXU) hash function H : ∀ M � = M ′ , ∀ Y , Pr [ K ← $ K : H K ( M ) ⊕ H K ( M ′ ) = Y ] ≤ ε • in practice, OTPs are replaced by a PRF applied to a nonce N • H usually based on polynomial evaluation (GCM, Poly1305) • “optimal” security: Adv MAC WC ( q m , q v ) ≤ ε q v + Adv PRF ( q m + q v ) F B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 6 / 26

  14. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion Wegman-Carter MACs [GMS74, WC81] M N H K F K ′ T • based on an ε -almost xor-universal ( ε -AXU) hash function H : ∀ M � = M ′ , ∀ Y , Pr [ K ← $ K : H K ( M ) ⊕ H K ( M ′ ) = Y ] ≤ ε • in practice, OTPs are replaced by a PRF applied to a nonce N • H usually based on polynomial evaluation (GCM, Poly1305) • “optimal” security: Adv MAC WC ( q m , q v ) ≤ ε q v + Adv PRF ( q m + q v ) F B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 6 / 26

  15. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion Wegman-Carter MACs [GMS74, WC81] M N H K F K ′ T • based on an ε -almost xor-universal ( ε -AXU) hash function H : ∀ M � = M ′ , ∀ Y , Pr [ K ← $ K : H K ( M ) ⊕ H K ( M ′ ) = Y ] ≤ ε • in practice, OTPs are replaced by a PRF applied to a nonce N • H usually based on polynomial evaluation (GCM, Poly1305) • “optimal” security: Adv MAC WC ( q m , q v ) ≤ ε q v + Adv PRF ( q m + q v ) F B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 6 / 26

  16. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion Wegman-Carter MACs [GMS74, WC81] M N H K F K ′ T • based on an ε -almost xor-universal ( ε -AXU) hash function H : ∀ M � = M ′ , ∀ Y , Pr [ K ← $ K : H K ( M ) ⊕ H K ( M ′ ) = Y ] ≤ ε • in practice, OTPs are replaced by a PRF applied to a nonce N • H usually based on polynomial evaluation (GCM, Poly1305) • “optimal” security: Adv MAC WC ( q m , q v ) ≤ ε q v + Adv PRF ( q m + q v ) F B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 6 / 26

  17. Wegman-Carter MACs The EWCDM Construction Security Result and Proof Sketch Conclusion Implementing the PRF from a Block Cipher M N H K F K ′ T • in practice, F is replaced by a block cipher • but provable security drops to birthday bound � [Sho96] Adv MAC + Adv PRF WC ( q m , q v ) ≤ ε q v ( q m + q v ) F • a better bound exists [Ber05] but still “birthday-type” • solution: BBB-secure PRP-to-PRF conversion (more later) B. Cogliati, Y. Seurin EWCDM CRYPTO 2016 7 / 26

Recommend

Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza

Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza

Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza Reyhanitabar 2 Phillip Rogaway 3 Damian Vizr 4 1 UC, Santa Barbara 2 NEC Laboratories Europe, Germany 3 UC Davis 4 EPFL, Switzerland 6th Asian Workshop

730 views • 50 slides
Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar

Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar

Generalities Stateless Deterministic MACs Nonce-Based MACs Beyond-Birthday-Bound Secure MACs Yannick Seurin ANSSI, France January 2018, Dagstuhl Seminar Y. Seurin BBB Secure MACs January 2018 1 / 44 Generalities Stateless Deterministic

1.21k views • 95 slides
Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava CCSW 2009: The ACM Cloud Computing Security Workshop 1 The Problem Providing secure and

414 views • 19 slides
BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020 Introduction

1.74k views • 57 slides
Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit Dutta 2 , Mridul Nandi 2 and Kan Yasuda 3 1. Indian Institute of Technology, Kharagpur, India 2. Indian Statistical Institute, Kolkata, India 3. NTT

580 views • 45 slides
Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE Convenient What is Secure Returns ? Secure Returns is a secure website where you and your clients can securely upload & download confidential

202 views • 9 slides
Misuse & Abuse Cases Engineering Secure Software Last Revised: October 9, 2020 SWEN-331:

Misuse & Abuse Cases Engineering Secure Software Last Revised: October 9, 2020 SWEN-331:

Misuse & Abuse Cases Engineering Secure Software Last Revised: October 9, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is a Requirement? How do you define it? If done well, what are they useful for? Who

648 views • 27 slides
Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure Metering Issues and Extensions Real World Other Directions Metering for General Access Structures Understanding the model Audit Agency

480 views • 35 slides
Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science & Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
CAESAR candidate Marble Jian Guo DIAC 24 August 2014 @Santa Barbara, CA, USA Design Goals

CAESAR candidate Marble Jian Guo DIAC 24 August 2014 @Santa Barbara, CA, USA Design Goals

CAESAR candidate Marble Jian Guo DIAC 24 August 2014 @Santa Barbara, CA, USA Design Goals Online Parallelizable Software oriented Decryption-misuse resistant, unverified plaintext release Nonce-misuse resistant, or

180 views • 15 slides
Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment pain The vision The Octomizer: TVM for everyone 2 Simple, secure, and efficient Drive TVM adoption Expand the set of users who can deployment of

370 views • 14 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years & proven

1.17k views • 68 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chalmers, 21 June 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No attacks in 14 years & proven

679 views • 63 slides
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress

KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress (CCC), 27 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No

845 views • 67 slides
Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation

Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation

Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation One approach Lightweight Security Secure and Efficient Metering Motivation Advertising Webpage popularity Cost Measure

993 views • 49 slides
Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU) Department of Mathematics e.zenner@mat.dtu.dk Pisa, Sep. 9, 2009 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 1 / 29 Everyone

337 views • 32 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of Tsukuba, Japan JST CREST Secure Outsourcing GWAS Secure computation [Cloud] Outline of our solution [data holder] Secure

381 views • 19 slides
Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a

Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a

Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a Secure Sustainable Power System 17 th August 2011 Outline Agenda Chair: Dick Lewis, Manager, Grid Operations Planning 10.00 a.m. Registration (Tea

833 views • 70 slides
POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List

POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List

POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List 2 Stefan Lucks 2 Jakob Wenzel 2 1 Hochschule Schmalkalden, 2 Bauhaus-Universitt Weimar eik.list (at) uni-weimar.de 18 July 2016 18 July 2016

561 views • 53 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan University, Israel PKC 2013 Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 1 / 39 Secure Computation Background A set of

689 views • 39 slides
Preventing Opioid Misuse and Disorder through Benefit Design Addressing Opioid Misuse and Pain:

Preventing Opioid Misuse and Disorder through Benefit Design Addressing Opioid Misuse and Pain:

Preventing Opioid Misuse and Disorder through Benefit Design Addressing Opioid Misuse and Pain: A 6-Month Employer Journey Cohort Meeting 1 of 3 | November 1, 2019 Welcome KHC Co-Directors Teresa Couts, Ed.D Randa Deaton, MA UAW Director

489 views • 22 slides

More recommend