linking oae and blockwise attack models
play

Linking OAE and Blockwise Attack Models Fast Software Encryption - PowerPoint PPT Presentation

Jun 27, 2023 •354 likes •819 views

Linking OAE and Blockwise Attack Models Fast Software Encryption 2017 Guillaume Endignoux, Damian Vizr EPFL, Switzerland Wednesday 8 th March, 2017 This work was partially supported by Microsoft Research. G. Endignoux, D. Vizr (EPFL)

  1. Linking OAE and Blockwise Attack Models Fast Software Encryption 2017 Guillaume Endignoux, Damian Vizár EPFL, Switzerland Wednesday 8 th March, 2017 This work was partially supported by Microsoft Research. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 1 / 20

  2. Introduction Authenticated encryption : confidentiality & authentication in one primitive. Ongoing CAESAR competition on authenticated encryption (2014 – 2017) G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 2 / 20

  3. Introduction Authenticated encryption : confidentiality & authentication in one primitive. Ongoing CAESAR competition on authenticated encryption (2014 – 2017) ⇒ most proposed schemes are online . M [ 1 ] M [ j ] M [ n ] ... ... C [ 1 ] C [ j ] C [ n ] ... ... Online authenticated encryption : computable on the fly, constant memory. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 2 / 20

  4. Introduction Security notions to capture AE: AE with associated data (AEAD) [Rogaway, 2002] Nonce-misuse resistant AE (MRAE) [Rogaway et al., 2006] ⇒ cannot be online! Online nonce-misuse resistant AE (OAE) [Fleischmann et al., 2012] Older notions for blockwise-adaptive adversaries [Fouque et al., 2003] ⇒ What are the relations between these notions? G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 3 / 20

  5. Introduction Security notions to capture AE: AE with associated data (AEAD) [Rogaway, 2002] Nonce-misuse resistant AE (MRAE) [Rogaway et al., 2006] ⇒ cannot be online! Online nonce-misuse resistant AE (OAE) [Fleischmann et al., 2012] Older notions for blockwise-adaptive adversaries [Fouque et al., 2003] ⇒ What are the relations between these notions? Main contribution : we prove equivalence between OAE and blockwise notions, modulo new PR-TAG notion. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 3 / 20

  6. Online authenticated encryption We consider the setting of [Fleischmann et al., 2012] Online authenticated encryption scheme Π = ( K , E , D ) finite key space K deterministic algorithms E and D K K H H C , T E D M ∨ ⊥ C , T M Required properties: correctness: D ( K , H , E ( K , H , M )) = M onlineness: Core ◦ E ( K , H , · ) ∈ OPerm [ n ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 4 / 20

  7. Online authenticated encryption M [ 1 ] M [ j ] M [ n ] H ... ... C [ 1 ] C [ j ] C [ n ] ... ... T blocks of n bits B n = { 0 , 1 } n message space B ∗ n header space H (e.g. { 0 , 1 } ∗ ) = nonce + associated data tag space T = B τ ( τ bits) ciphertext space C = B ∗ n × T (core ciphertext blocks + authentication tag) G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 5 / 20

  8. Online authenticated encryption We model encryption by online permutations of B ∗ n . M [ 1 ] M [ j ] M [ n ] ... ... π ∈ OPerm [ n ] C [ 1 ] C [ j ] C [ n ] ... ... C [ j ] depends only on M [ 1 ] , . . . , M [ j ] . G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 6 / 20

  9. Security notions We consider the following notions: OAE [Fleischmann et al., 2012] blockwise privacy [Fouque et al., 2003-2004] blockwise integrity [Fouque et al., 2003] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 7 / 20

  10. Security notions We consider the following notions: OAE [Fleischmann et al., 2012] ⇒ indistinguishability from idealized primitive blockwise privacy [Fouque et al., 2003-2004] ⇒ left-or-right sequential blockwise CPA blockwise integrity [Fouque et al., 2003] ⇒ existential forgery of ciphertext G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 7 / 20

  11. OAE security Game OAE-REAL proc Initialize $ ← K K proc Enc ( H , M ) return E ( K , H , M ) proc Dec ( H , C ) return D ( K , H , C ) G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 8 / 20

  12. OAE security Game OAE-REAL Game OAE-IDEAL proc Initialize proc Initialize $ for all H ∈ H do ← K K $ ← OPerm [ n ] π H for all ( H , M ) ∈ H × B ∗ n do $ T H , M ← T proc Enc ( H , M ) proc Enc ( H , M ) return E ( K , H , M ) return ( π H ( M ) , T H , M ) proc Dec ( H , C ) proc Dec ( H , C ) return D ( K , H , C ) return ⊥ G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 8 / 20

  13. OAE security Game OAE-REAL Game OAE-IDEAL proc Initialize proc Initialize $ for all H ∈ H do ← K K $ ← OPerm [ n ] π H for all ( H , M ) ∈ H × B ∗ n do $ T H , M ← T proc Enc ( H , M ) proc Enc ( H , M ) return E ( K , H , M ) return ( π H ( M ) , T H , M ) proc Dec ( H , C ) proc Dec ( H , C ) return D ( K , H , C ) return ⊥ Adv OAE ( A ) = Pr [ A OAE-REAL ⇒ 1 ] − Pr [ A OAE-IDEAL ⇒ 1 ] Π Π Π G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 8 / 20

  14. Blockwise privacy Game LORS-BCPA proc Initialize $ ← K K $ ← { 0 , 1 } b � � H ← ⊥ ; M ← ε ; j ← 0 proc LR ( H , P 0 , P 1 ) if � H = ⊥ then � H ← H M ← � � M || P b C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 9 / 20

  15. Blockwise privacy Game LORS-BCPA proc Initialize proc GetTag ( H ) if � H = ⊥ then � $ H ← H ← K K T ← Tag ( E ( K , � H , � $ M )) ← { 0 , 1 } b � � H ← ⊥ ; M ← ε ; j ← 0 � � H ← ⊥ ; M ← ε ; j ← 0 return T proc LR ( H , P 0 , P 1 ) if � H = ⊥ then � proc Finalize ( d ) H ← H M ← � � return d = b M || P b C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 9 / 20

  16. Blockwise privacy Game LORS-BCPA proc Initialize proc GetTag ( H ) if � H = ⊥ then � $ H ← H ← K K T ← Tag ( E ( K , � H , � $ M )) ← { 0 , 1 } b � � H ← ⊥ ; M ← ε ; j ← 0 � � H ← ⊥ ; M ← ε ; j ← 0 return T proc LR ( H , P 0 , P 1 ) if � H = ⊥ then � proc Finalize ( d ) H ← H M ← � � return d = b M || P b C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] Adv D-LORS-BCPA ( A ) = 2 · Pr [ A LORS-BCPA ⇒ 1 ] − 1 Π Π G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 9 / 20

  17. Blockwise privacy: deterministic schemes? Issue with deterministic left-or-right indistinguishability: trivial attacks possible. Query a L 0 L 1 R 0 R 1 Query b L 0 L 2 R 2 R 3 ⇒ Compare C a [ 0 ] and C b [ 0 ] to distinguish between left and right. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 10 / 20

  18. Blockwise privacy: deterministic schemes? We define the online-respecting condition to avoid these attacks. Valid adversaries must respect it. LLCP ( L a , L b ) 1 = LLCP ( R a , R b ) if H a = H b L a [ 1 ] L a [ j ] L a [ n ] R a [ 1 ] R a [ j ] R a [ n ] ... ... ... ... L b [ 1 ] L b [ j ] L b [ p ] R b [ 1 ] R b [ j ] R b [ p ] ... ... ... ... Equivalently (Proposition 1): ∃ σ H ∈ OPerm [ n ] s.t. L i = σ H i ( R i ) 1 length of longest common prefix G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 11 / 20

  19. Blockwise integrity Game B-INT-CTXT proc Initialize win ← 0 $ ← K K X ← ∅ � � H ← ⊥ ; M ← ε ; j ← 0 proc Enc ( H , P ) if � H = ⊥ then � H ← H M ← � � M || P C ← Core ( E ( K , � H , � M )) j ← j + 1 return C [ j ] G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 12 / 20

  20. Blockwise integrity Game B-INT-CTXT proc GetTag ( H ) if � H = ⊥ then � H ← H C ← E ( K , � H , � proc Initialize M ) X ← X ∪ { ( � win ← 0 H , C ) } $ � � ← K H ← ⊥ ; M ← ε ; j ← 0 K X ← ∅ return Tag ( C ) � � H ← ⊥ ; M ← ε ; j ← 0 proc Dec ( H , C ) M ← D ( K , H , C ) proc Enc ( H , P ) if � H = ⊥ then � H ← H if ( H , C ) ∈ X then M ← ⊥ M ← � � M || P if M � = ⊥ then win ← 1 C ← Core ( E ( K , � H , � M )) return M j ← j + 1 return C [ j ] proc Finalize () return win G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 12 / 20

  21. Blockwise integrity Game B-INT-CTXT proc GetTag ( H ) if � H = ⊥ then � H ← H C ← E ( K , � H , � proc Initialize M ) X ← X ∪ { ( � win ← 0 H , C ) } $ � � ← K H ← ⊥ ; M ← ε ; j ← 0 K X ← ∅ return Tag ( C ) � � H ← ⊥ ; M ← ε ; j ← 0 proc Dec ( H , C ) M ← D ( K , H , C ) proc Enc ( H , P ) if � H = ⊥ then � H ← H if ( H , C ) ∈ X then M ← ⊥ M ← � � M || P if M � = ⊥ then win ← 1 C ← Core ( E ( K , � H , � M )) return M j ← j + 1 return C [ j ] proc Finalize () return win Adv B-INT-CTXT ( A ) = Pr [ A B-INT-CTXT ⇒ 1 ] Π Π G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 12 / 20

  22. Main results D-LORS-BCPA ∧ B-INT-CTXT Prop. 2 OAE Thms. 1, 2, 3 Thm. 4 D-LORS-BCPA ∧ B-INT-CTXT ∧ PR-TAG Relations between notions shown in the paper. G. Endignoux, D. Vizár (EPFL) Linking OAE & blockwise attack models FSE 2017 13 / 20

Recommend

Linking OAE and Blockwise Attack Models Fast Software Encryption 2017 Guillaume Endignoux 1 , 2 ,

Linking OAE and Blockwise Attack Models Fast Software Encryption 2017 Guillaume Endignoux 1 , 2 ,

Linking OAE and Blockwise Attack Models Fast Software Encryption 2017 Guillaume Endignoux 1 , 2 , Damian Vizr 1 1 EPFL, Switzerland 2 Kudelski Security Wednesday 8 th March, 2017 This work was partially supported by Microsoft Research. G.

1.02k views • 45 slides
Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T

Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T

RECHERCHE N O Y L E D S E E U Q I L P P A S E C N E I C S S E D L A N O Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T I T S N I C elestin Matte -

702 views • 20 slides
Transforming Graphical System Models to Graphical Attack Models ! Joint work with Marieta

Transforming Graphical System Models to Graphical Attack Models ! Joint work with Marieta

From Graphical System Models... ... to Graphical Attack Models ... ... to Risk Assessment Transforming Graphical System Models to Graphical Attack Models ! Joint work with Marieta Georgieva Ivanova, ! ! Ren e Rydhof Hansen, and Florian

650 views • 27 slides
Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol,

Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol,

Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol, Damien Stehl e ENS Lyon, LIP (CNRS ENSL INRIA UCBL - ULyon) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 1/16

939 views • 61 slides
Bridging biological scales by linking agent-based models to

Bridging biological scales by linking agent-based models to

Bridging biological scales by linking agent-based models to intracellular and con5nuum biomechanics models Shayn Peirce-Co:ler, Ph.D. Associate Professor of

741 views • 57 slides
Blockwise empirical likelihood and efficiency for semi-Markov processes Wolfgang Wefelmeyer

Blockwise empirical likelihood and efficiency for semi-Markov processes Wolfgang Wefelmeyer

Blockwise empirical likelihood and efficiency for semi-Markov processes Wolfgang Wefelmeyer Mathematical Institute University of Cologne jointly with Cindy Greenwood (Arizona State University) and Uschi M uller (Texas A&M University)

358 views • 7 slides
LINKING 3D GIS DATA TO 3D IFC MODELS 24 november 2017 Henri Veldhuis 1 PAS DIT AAN OF VERWIJDER

LINKING 3D GIS DATA TO 3D IFC MODELS 24 november 2017 Henri Veldhuis 1 PAS DIT AAN OF VERWIJDER

GEO| Design+BIM LINKING 3D GIS DATA TO 3D IFC MODELS 24 november 2017 Henri Veldhuis 1 PAS DIT AAN OF VERWIJDER HET 2017-11-30 Sweco engineering consultancy Organised in seven geographically based business areas Approx. 14,500

167 views • 12 slides
GAS PLANNING: LINKING MODELS AND ASSESSMENT OF RECIPROCAL EFFECTS 15 th IAEE European Conference,

GAS PLANNING: LINKING MODELS AND ASSESSMENT OF RECIPROCAL EFFECTS 15 th IAEE European Conference,

Navigating the Roadmap for Clean, Secure and Efficient Energy Innovation INTEGRATING ELECTRICITY AND NATURAL GAS PLANNING: LINKING MODELS AND ASSESSMENT OF RECIPROCAL EFFECTS 15 th IAEE European Conference, Vienna, September 3-6, 2017 Dr. Pedro

302 views • 19 slides
Advantages and disadvantages of current reference and digital objects linking models in

Advantages and disadvantages of current reference and digital objects linking models in

Advantages and disadvantages of current reference and digital objects linking models in scientific information space Radovan Vrana, M.Sc. Department of information sciences Faculty of philosophy Zagreb, Croatia Introduction Growth of

302 views • 17 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Linking family farms to markets 16 July 20 16 PRESENTATION Innovative business models to connect

Linking family farms to markets 16 July 20 16 PRESENTATION Innovative business models to connect

Linking family farms to markets 16 July 20 16 PRESENTATION Innovative business models to connect farmers to markets By M aarten van der Kamp, Lecturer in Entrepreneurship, Cranfield University, United Kingdom The views expressed in this

335 views • 11 slides
Developing Exercise Control Tools ; Linking Simulation Models with Others LTC Son, Eun Chul ;

Developing Exercise Control Tools ; Linking Simulation Models with Others LTC Son, Eun Chul ;

MilSim Asi sia Developing Exercise Control Tools ; Linking Simulation Models with Others LTC Son, Eun Chul ; Chief of Simulation Control, Joint Battle Simulation Center J oint B attle S imu mulation C enter MilSim Asi sia Agenda Overview

401 views • 16 slides
Small Area Models for Linking Deprivation to Local Areas in Italy ( draft ) Gennaro PUNZO

Small Area Models for Linking Deprivation to Local Areas in Italy ( draft ) Gennaro PUNZO

InGrid Summer School Reaching out to hard-to-survey groups among the poor HIVA-KU Leuven, Leuven - Belgium, 30 May -3 June 2016 Small Area Models for Linking Deprivation to Local Areas in Italy ( draft ) Gennaro PUNZO Universit y of

198 views • 18 slides
Small Area Models for Linking Deprivation to Local Areas in Italy Gennaro PUNZO University of

Small Area Models for Linking Deprivation to Local Areas in Italy Gennaro PUNZO University of

InGrid Summer School Reaching out to hard-to-survey groups among the poor HIVA-KU Leuven, Leuven - Belgium, 30 May -3 June 2016 Small Area Models for Linking Deprivation to Local Areas in Italy Gennaro PUNZO University of Naples

330 views • 31 slides
Important Examples of Cyber-Physical Systems Cyber-Physical Systems under Attack Models,

Important Examples of Cyber-Physical Systems Cyber-Physical Systems under Attack Models,

Important Examples of Cyber-Physical Systems Cyber-Physical Systems under Attack Models, Fundamental Limitations, and Monitor Design Fabio Pasqualetti Florian D orfler Francesco Bullo Center for Control, Dynamical systems and Computation

994 views • 11 slides
Multilevel Models Session 3: Random coefficient models Outline Random coefficient models

Multilevel Models Session 3: Random coefficient models Outline Random coefficient models

Multilevel Models Session 3: Random coefficient models Outline Random coefficient models Allowing individual-level relationships to vary across groups Linking individual and group level explanations cross level interactions

2k views • 15 slides
Linking Linking the the Digital Ag Digital Agend enda to r to rur ural al and spar and

Linking Linking the the Digital Ag Digital Agend enda to r to rur ural al and spar and

SEDEC Commission Meeting, Committee of the Regions Brussels, 20 April 2016 Linking Linking the the Digital Ag Digital Agend enda to r to rur ural al and spar and sparsel sely popula y populated ted ar areas eas to to boost boost

428 views • 12 slides
Using Hospital Data to Measure Quality of Care and Linking it to DRG of Care and Linking it to

Using Hospital Data to Measure Quality of Care and Linking it to DRG of Care and Linking it to

Using Hospital Data to Measure Quality of Care and Linking it to DRG of Care and Linking it to DRG (Case-Mix) Payments Presented by Jugna Shah, MPH President, Nimitt Consulting Inc. Nordic Case-Mix Conference Helsinki, Finland J ne 2010

450 views • 21 slides
Entity Linking Enityt Linking Laura Dietz dietz@cs.umass.edu University of Massachusetts Use

Entity Linking Enityt Linking Laura Dietz dietz@cs.umass.edu University of Massachusetts Use

Entity Linking Enityt Linking Laura Dietz dietz@cs.umass.edu University of Massachusetts Use cursor keys to fl ip through slides. Problem: Entity Linking Query Entity NIL Given query mention in a source document, identify which Wikipedia

938 views • 59 slides
linking, cross-lingual entity linking) TAC 2011 Summarization Track Guided Summarization task

linking, cross-lingual entity linking) TAC 2011 Summarization Track Guided Summarization task

Overview of the TAC2011 Summarization (Guided, AESOP, MultiLing) RTE (within a corpus including novelty detection and ablation testing) Knowledge Base Population (monolingual entity linking, cross-lingual entity linking) TAC 2011 Summarization

596 views • 10 slides
DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined somewhere else (another file in our project, a library, etc) In compiler-speak, we want symbols with external linkage I only really care

563 views • 39 slides
Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1

Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1

Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1 Blockwise Stream Ciphers 2 Presentation of AEGIS 3 Linear Biases in AEGIS 1/22 Blockwise Stream Ciphers 2/22 Authenticated Encryption Schemes C

1.07k views • 39 slides
Linking Land Use and Water Marjo Curgus Del Corazon Consulting Why Does Linking Land Use and

Linking Land Use and Water Marjo Curgus Del Corazon Consulting Why Does Linking Land Use and

Linking Land Use and Water Marjo Curgus Del Corazon Consulting Why Does Linking Land Use and Water Matter? Your Logo or Name Here Paradigm Shift From S u p p l y S i d e Trea eatment tment Acq Acquisition uisition Infr Infrastr

217 views • 18 slides
The best of two traditions: Integrating bottom-up information in CGE models, including TIMES

The best of two traditions: Integrating bottom-up information in CGE models, including TIMES

Taran Fhn, Research Dep., Statistics Norway The best of two traditions: Integrating bottom-up information in CGE models, including TIMES input Linking CGE and TIMES Models - Workshop Technology and Innovation Centre, Strathclyde Univ., 1 09

258 views • 21 slides

More recommend