hash cfb
play

Hash-CFB Authenticated Encryption Without a Block Cipher Christian - PowerPoint PPT Presentation

Mar 20, 2024 •317 likes •510 views

Hash-CFB Authenticated Encryption Without a Block Cipher Christian Forler 1 , Stefan Lucks 1 , David McGrew 2 , Jakob Wenzel 1 1 Bauhaus-Universitt Weimar, Germany, 2 Cisco Systems, USA DIAC, Stockholm, July, 2012 1 C. Forler, S. Lucks,

  1. Hash-CFB Authenticated Encryption Without a Block Cipher Christian Forler 1 , Stefan Lucks 1 , David McGrew 2 , Jakob Wenzel 1 1 Bauhaus-Universität Weimar, Germany, 2 Cisco Systems, USA DIAC, Stockholm, July, 2012 –1– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  2. Outlook Goals From BC-CFB to Hash-CFB Alternatives Security Claims . . . Beyond “Standard” AE . . . Core Ideas for Proofs . . . on Side Channels Final Remarks and Summary –2– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  3. Goals 1. security (of course) 2. feasible on constrained devices one primitive to rule them all, one primitive to bind them . . . 3. simplicity: ◮ easy to describe ◮ easy to implement ◮ easy to analyze based on a “standard” primitive 4. reasonable efficiency –3– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  4. From BC-CFB to Hash-CFB nonce M[1] M[2] M[n] 0 C[1] C[2] C[n] tag BC-CFB: ◮ privacy: CFB encryption ◮ authenticity: trivial attacks! –4– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  5. From BC-CFB to Hash-CFB 1 1 1 2 nonce 0 M[1] M[2] M[n] 0 C[1] C[2] C[n] tag Hash-CFB, using a fixed-input-length (FIL) hash function: ◮ privacy: the same as CFB encryption ◮ authenticity: secure – see later 1. make both T[i] = C[i] ⊕ M[I] and C[i] inputs for the ( i + 1)st call 2. differentiate last primitive call from previous calls –4– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  6. From BC-CFB to Hash-CFB key assoc. data nonce S 0 C[n] 0 C[1] C[n−1] T[0] T[1] T[n−1] T[n] 1 1 1 2 T[2] M[1] M[2] M[n] C[1] C[n] tag C[2] ◮ long-term key and nonce define message-secret S –5– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  7. From BC-CFB to Hash-CFB key assoc. data nonce S 0 C[n] 0 C[1] C[n−1] T[0] T[1] T[n−1] T[n] 1 1 1 2 T[2] M[1] M[2] M[n] C[1] C[n] tag C[2] ◮ long-term key and nonce define message-secret S ◮ S is xor-ed to the previous hash output (recall that a hash function is unkeyed, by nature) –5– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  8. From BC-CFB to Hash-CFB key assoc. data nonce S 0 C[n] 0 C[1] C[n−1] T[0] T[1] T[n−1] T[n] 1 1 1 2 T[2] M[1] M[2] M[n] C[1] C[n] tag C[2] ◮ long-term key and nonce define message-secret S ◮ S is xor-ed to the previous hash output (recall that a hash function is unkeyed, by nature) ◮ use a VIL (variable input length) hash of the associated data –5– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  9. Alternatives primitive solution 1. block cipher block cipher based hash fun. 2. hash function generic composition (e.g., counter mode & HMAC) 3. compression function (whatever) –6– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  10. Alternatives primitive solution 1. block cipher block cipher based hash fun. 2. hash function generic composition (e.g., counter mode & HMAC) 3. compression function (whatever) 1. standard block cipher: AES, n = 128 need 2 n -bit hash function; plenty of good DBL-hashes in literature, but what is the “standard” for DBL hashing? –6– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  11. Alternatives primitive solution 1. block cipher block cipher based hash fun. 2. hash function generic composition (e.g., counter mode & HMAC) 3. compression function (whatever) 1. standard block cipher: AES, n = 128 need 2 n -bit hash function; plenty of good DBL-hashes in literature, but what is the “standard” for DBL hashing? 2. how to deal with additional complexity and storage? (two independent keys, two states, . . . ) –6– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  12. Alternatives primitive solution 1. block cipher block cipher based hash fun. 2. hash function generic composition (e.g., counter mode & HMAC) 3. compression function (whatever) 1. standard block cipher: AES, n = 128 need 2 n -bit hash function; plenty of good DBL-hashes in literature, but what is the “standard” for DBL hashing? 2. how to deal with additional complexity and storage? (two independent keys, two states, . . . ) 3. cryptographers know the “compression functions”, but which standards or APIs actually define them? –6– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  13. Security Claims Standard AE Claims nonce key message ciphertext (assoc. data) auth. tag ◮ assume the hash function behaves like a good PRF ◮ restrict the adversary to be nonce-respecting ◮ privacy: chosen plaintext attack (CPA) resistant ◮ authenticity: integrity of ciphertexts (Int-CTXT) ◮ more privacy: CPA and Int-CTXT ⇒ CCA –7– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  14. Security Claims . . . Beyond “Standard” AE nonce key message ciphertext (assoc. data) auth. tag ◮ nonce misuse: the adversary is not always nonce respecting (e.g., due to implementation errors) ◮ privacy: still holds when using a new nonce ◮ authenticity: not affected (!) ◮ weak assumptions: ◮ privacy: requires the FIL HF to be a good PRF ◮ authenticity: only requires “forgery resistance” of the FIL HF ◮ side-channel resistance: (see below) –8– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  15. Security Claims . . . Core Ideas for Proofs ◮ privacy: similar to block cipher based CFB ◮ authenticity: for queries, the final hash input to compute tag is always different: C[n] C[n−1] ◮ T[n] is a (keyed) hash T[n−1] T[n] of the message 1 2 ( ⇒ no collisions), and ◮ the postfix 2 is only M[n] used for final hash function calls C[n] tag so a forger would have to predict the output of the final FIL hash function call – even if the same nonce had been used repeatedly –9– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  16. Security Claims . . . on Side Channels typical side-channel attacks: ◮ many measurements of a primitive operations under the same key ◮ X messages, each of length L blocks: XL measurements for the same key –10– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  17. Security Claims . . . on Side Channels key assoc. data nonce S 0 C[n] 0 C[1] C[n−1] T[0] T[1] T[n−1] T[n] 1 1 1 2 T[2] M[1] M[2] M[n] C[1] C[n] tag C[2] side-channel attacks against hash-CFB: ◮ X messages, each of length L , nonce-respecting: X measurements for key and L for each of S ◮ even when not nonce-respecting: adversary may find some S but only use it to to compromise messages using that single nonce –11– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

  18. Final Remarks and Summary ◮ in the paper ◮ SHA-224-based instantiation of HASH-CFB: ◮ one FIL hash ⇔ one compression function call ◮ our goals: ◮ secure, feasable on constrained devices, simple, efficient (in that order) ◮ using a hash function seems to be a good approach ◮ security requirements (beyond “standard”): ◮ authenticity even under nonce reuse ◮ authenticity needs weaker assumption than privacy ◮ some defense against side-channel attacks ◮ for discussion at DIAC: ◮ Should such security requirements become a standard for new generation AE schemes? –12– C. Forler, S. Lucks, D. McGrew, J. Wenzel: Hash-CFB

Recommend

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used

Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used

Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used of people, signifies a confusion in associative memory or imagination, especially a persistent one (see thinko ). True story: One of us was once on

908 views • 31 slides
Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U|

Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U|

Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U| (the set of keys). Tirgul 9 We use a hash function h() to determine the entry of each key. Hash Tables (continued) Reminder The crucial

151 views • 4 slides
HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D { 0 , 1 } n that is compressing, meaning | D | > 2 n . E.g. D = { 0 , 1 } 2 64 is the set of all strings of length at most 2 64 . h n MD4

1.13k views • 78 slides
Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David Malone 11 October 2012 Hash Functions We are talking about hash functions for consistent assignment. For example, Hash tables, Network

448 views • 18 slides
Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Dictionaries 1/19/2005 11:37 PM Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to Dictionaries and Hash Tables integers in a fixed interval [0, N 1] Example: h ( x ) = x mod N 0 is a hash function for

503 views • 4 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Hash Tables 1 Hash Table in Primary Storage Main parameter B = number of buckets Hash

Hash Tables 1 Hash Table in Primary Storage Main parameter B = number of buckets Hash

Hash Tables 1 Hash Table in Primary Storage Main parameter B = number of buckets Hash function h maps key to numbers from 0 to B-1 Bucket array indexed from 0 to B-1 Each bucket contains exactly one value Strategy

460 views • 33 slides
What is Hash, What are Concentrates, what is a Dab? Why do people use hash and concentrates and

What is Hash, What are Concentrates, what is a Dab? Why do people use hash and concentrates and

What is Hash, What are Concentrates, what is a Dab? Why do people use hash and concentrates and how do they consume these products? By Max Montrose Why do people use Hash / Concentrates? Medical. Some people who have chronic epilepsy or

740 views • 21 slides
Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash

Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash

Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash algorithms NIST SHA-3 Competition MD6 Algorithm and Mode of Operation Research Objective Approach Introduction to hash algorithms Hash

454 views • 14 slides
Distributed Hash Tables What is a DHT? Hash Table data structure that maps keys to

Distributed Hash Tables What is a DHT? Hash Table data structure that maps keys to

Distributed Hash Tables What is a DHT? Hash Table data structure that maps keys to values essen=al building block in so?ware systems Distributed Hash Table (DHT) similar, but spread across many hosts Interface

455 views • 32 slides
Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family Unconditionally Secure MACs Ref: D Stinson: Cryprography Theory and Practice (3 rd ed), Chap 4. Universal hash family Notations: X is a

457 views • 12 slides
Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Hash-Based Indexing Torsten Grust Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static Hashing Hash Functions Architecture and Implementation of Database Systems Extendible Hashing Summer 2016

930 views • 39 slides
dictionaries (aka hash tables or hash maps) Genome 559: Introduction to Statistical and

dictionaries (aka hash tables or hash maps) Genome 559: Introduction to Statistical and

dictionaries (aka hash tables or hash maps) Genome 559: Introduction to Statistical and Computational Genomics Prof. James H. Thomas Review You should be very comfortable with loops by now Start paying attention to program robustness

165 views • 16 slides
Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into arrays: hash tables Converting long strings into shorter strings in an irreversible way: one-way function Turn a 200 KB document into a 16

434 views • 5 slides
Hash Table Analysis When do hash tables degrade in performance? How should we set the maximum

Hash Table Analysis When do hash tables degrade in performance? How should we set the maximum

Hash Table Analysis When do hash tables degrade in performance? How should we set the maximum load factor? It is especially important to know the average behavior of a hashing method, because we are committed to trusting in the laws of

579 views • 22 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.68k views • 129 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.37k views • 120 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
, R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni,

, R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni,

R ADIO G ATN , R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni, Joan Daemen, Michal Peeters * and Gilles Van Assche STMicroelectronics * De Valck Consultants Second Cryptographic Hash Workshop

474 views • 16 slides
Hash tables Hash functions Open addressing March 09, 2020 Cinda Heeren / Andy Roth / Geoffrey

Hash tables Hash functions Open addressing March 09, 2020 Cinda Heeren / Andy Roth / Geoffrey

Hash tables Hash functions Open addressing March 09, 2020 Cinda Heeren / Andy Roth / Geoffrey Tien 1 Hash tables A hash table consists of an array to store data Data often consists of complex types, or pointers to such objects One

247 views • 21 slides
dictionaries (aka hash tables or hash maps) Genome 559: Introduction to Statistical and

dictionaries (aka hash tables or hash maps) Genome 559: Introduction to Statistical and

dictionaries (aka hash tables or hash maps) Genome 559: Introduction to Statistical and Computational Genomics Prof. James H. Thomas Review You should be comfortable with loops by now. I will post another slide showing more on loops.

357 views • 19 slides
Complex Libraries Using Hash Dictionaries 1 Playing Hash Table You are the new produce manager

Complex Libraries Using Hash Dictionaries 1 Playing Hash Table You are the new produce manager

Complex Libraries Using Hash Dictionaries 1 Playing Hash Table You are the new produce manager of the local grocery store. You want to use a dictionary to track your fruit inventory. Entries have the form (banana, 20) where o

595 views • 55 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides

More recommend