new modes of encryption a perspective and a proposal
play

New Modes of Encryption - A Perspective and a Proposal Virgil D. - PowerPoint PPT Presentation

Nov 25, 2022 •148 likes •375 views

New Modes of Encryption - A Perspective and a Proposal Virgil D. Gligor* Pompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland 20815 {gligor, pompiliu}@eng.umd.edu NIST Modes of Operation Workshop Baltimore, Maryland October

  1. New Modes of Encryption - A Perspective and a Proposal Virgil D. Gligor* Pompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland 20815 {gligor, pompiliu}@eng.umd.edu NIST Modes of Operation Workshop Baltimore, Maryland October 20, 2000 (*) Part of this work was performed while on sabbatical leave from the University of Maryland, Department of Electrical and Computer Engineering, College Park, Maryland 20742 GD - 10/20/00 1

  2. Outline 1. Security Claims 2. Operational Claims 3. Evidence 4. Examples: XCBC, XECB-MAC and PM-XOR 5. Proposal: Three* Distinct Mode Candidates 6. Intellectual Property Status GD - 10/20/00 2

  3. 1. Security Claims for Modes of Encryption 1. Claim = a security notion supported by a mode or scheme of encryption 2. Security Notion = < security goal, attack characteristics> 3. Security Goal : confidentiality, integrity (authenticity), common - Examples: • confidentiality: indistinguishability (IND) • integrity: resistance to existential forgery (EF) • common: resistance to key searches (KS) • combinations 4. Attack Characteristics (models) - Examples: • Chosen (Known) Plaintext • Ciphertext-only • Chosen ciphertext • combinations GD - 10/20/00 3

  4. Example of a Chosen-Plaintext Attack Distributed Service: S (S1, S2), shared key K; Clients: Client 1. … Adv, …, Client n Adversary: Adv Client 1 . . . . OK / Null S2 S1 Client n K K forgery j ciphertext i 1i 2i 4j plaintext i Adv constructs ciphertext i forgery j 3j In attack scenario: S1 becomes an Encryption Oracle S2 becomes a Decryption Oracle GD - 10/20/00 4

  5. Example of Ciphertext-only Attack Distributed Service: S (S1, S2), shared key K; Clients: Client 1,…, Client n Adversary: Adv is not a client 1i plaintext i Client 1 . . . . OK / Null S2 S1 Client n K K forgery j ciphertext i 2i 4j Adv constructs ciphertext i forgery j 3j In attack scenario: No Encryption Oracle: plaintext i is r.u.d (Adv known absolutely nothing about plaintext i) GD - 10/20/00 5 S2 becomes a Decryption Oracle

  6. Example of Integrity Goals Existential Forgery protection (EF) : Pr[ D K (forgery) =/= Null ] is negligible Other Integrity Notions: constraints on D K (forgery) =/= Null Examples: Non-malleability (NM) : given ciphertext challenge y whose plaintext x may be unknown, find forgery of the same length as y : Pr [ D K (forgery) =/= Null and Relationship( D K (forgery), x) ] is negligible Integrity of Plaintexts (PI) : Pr [ D K (forgery) =/= Null and D K (forgery) =/= plaintexts encrypted before ] is negligible Assurance of Plaintext Uncertainty (PU) : Pr [ D K (forgery) =/= Null => D K (forgery) =/= plaintexts encrypted before and is unknown ] is close to 1 Protection against Chosen-Plaintext Forgery (CPF) : given a chosen plaintext challenge x , Pr [ D K (forgery) =/= Null and D K (forgery) = x =/= plaintexts encrypted before ] is negligible Note: some constraints may be integrity counter-intuitive; e.g., assurance of Known-Plaintext Forgery (KPF) Pr [ D K (forgery) =/= Null => D K (forgery) is known ] is close to 1. GD - 10/20/00 6

  7. Relationships among Integrity Notions KPF - CPA PI - CPA EF - CPA PU - CPA CPF - CPA CPF - CoA NM - CPA EF - CoA Legend: A B iff A ==> B and B =/=> A (``dominance’’) A ==> B iff mode is secure in A is also secure in B B =/=> A iff mode is secure in B is not secure in A GD - 10/20/00 7

  8. Examples of Modes Satisfying Different Integrity Notions Encryption Mode - “redundancy” function or Encryption Mode + MAC Mode PI - CPA Conf. DES-CBC-CRC32 (K v5, DCE) ``easy’’ IGE-z 0 EF - CPA PU - CPA CPF - CPA CPF - CoA VIL-CBC-nzg XOC-XOR XCBC-XOR IACBC NM - CPA IAPM BIGE-nzg PM-XOR OCB ctr-mode + XECB MAC EF - CoA Infinite Garble Extension ( IGE ) ctr-mode + PMAC Encryption: y i = Enc K (x i / y i-1 ) / x i -1 IGE-z 0 Note: italics designate modes presented in NIST Workshop on AES Modes of Encryption GD - 10/20/00 8

  9. 2. Operational Claims for Modes of Encryption 1. Claim = a operational notion supported by a mode or scheme of encryption 2. Operational Notion = < operational goals, mode characteristics > 3. Operational Goal : cost-performance, simplicity, others - Examples of (related) goals: • cost-performance: • low power consumption • high speed (e.g., throughput) • low implementation cost (e.g., hardware ``real-estate’’) • simplicity • single cryptographic primitive, key 4. Mode Characteristics - Examples: • State: stateless, stateful • Degree of parallelism • sequential • interleaved (apriori known or negotiated no. of proc. units) • fully parallel (independent of no. of processing units) • Separated Confidentiality and Integrity keys • Other: incremental, out-of-order processing GD - 10/20/00 9

  10. Examples of Operational Claims Low- and High-End Goals • cost-performance: • low power consumption • speed: moderate (e.g., < 100 MBS) > 100 GBS • low implementation cost hardware • simplicity • single cryptographic primitive (AES), key single crypto prim. Low- and High-End Mode Characteristics • State: stateful stateful, stateless • Degree of parallelism • sequential (single processor) fully parallel for Conf. & Integrity • Separated Confidentiality and Integrity keys: No Yes • Others: incremental, out-of-order processing: No Yes for both Conf. & Integrity GD - 10/20/00 10

  11. 3. Evidence for Claims 1. Mode specification 2. Security Claim - goal - attack pair(s) 3. “Proof “ - formal: Mode spec. satisfies Security Claim • standing assumption: AES is secure w.r.t. all known attacks - peer review - other empirical evidence: known attacks 4. Operational Claim - goal - mode characteristics pair(s) 5. Operational evidence - implementation + performance tests - other empirical evidence GD - 10/20/00 11

  12. XCBC Encryption Fact: Encryption is not intended to provide integrity Motivation - Encryption w/o integrity checking is all but useless [Bellovin 98] - Define family of encryption modes to help provide integrity with non-cryptographic “redundancy” functions - Security claims: IND-CPA confidentiality and EF-CPA integrity, reasonable bounds - Operational claims: preferred for Low- to Mid-End op. environment - Knowledge of operational environments: • apriori obtained • discovered via negotiation GD - 10/20/00 12

  13. Operational Claims Preferred environments : low- to mid-end Goals - cost performance •low power consumption • speed: moderate to high (e.g., close to CBC-UMAC-MMX30) • low implementation cost - simplicity • single cryptographic primitive (AES), key Mode Characteristics • State: stateful, stateless • Degree of parallelism: sequential (single processor), interleaved (known no. procs.) • Separated Confidentiality and Integrity keys: No • Others: incremental, out-of-order processing: Yes (if interleaved) GD - 10/20/00 13

  14. Stateless XCBC Scheme - Encryption of x = x 1 x 2 x 3 (single key is also possible) random x 1 r 0 x 2 x 3 z 0 key’ AES-e key AES-e key AES-e AES-e AES-e z 1 z 2 z 3 Extend op S 1 S 2 op op CBC S 3 S i = sequence y 0 op = operation y 1 y 2 y 3 Examples of S i and op combinations ( + is mod 2 l ; is bitwise exclusive-or) S i = S i-1 + r 0 , S 0 = 0 (written as S i = i x r 0 ) op = + Other S i and op definitions exist (e.g., C.S. Jutla’s and P. Rogaway’s proposals) GD - 10/20/00 14

  15. Stateless XCBC -XOR Scheme - Encryption of x = x 1 x 2 x 3 unpredictable function of message x g(x) random x 1 x 2 r 0 x x 4 3 z 0 key’ AES-e key key AES-e AES-e AES-e AES-e AES-e z 1 z 2 z 3 z 4 S 1 op S 2 op S 3 op op S 4 y y y y y 0 1 2 3 4 Example: g(x) = x 1 x2 x3 z’ 0 ; z’ 0 = z 0 GD - 10/20/00 15 Other examples of g(x) exist

  16. Selection Criteria for S i , op, g(x) ? Satisfy Security Claims: - Proof for integrity goal: EF-CPA ( must be able to do the proofs for selected S i , op, g(x) ): • integrity: [GD 00] Satisfy Operational Claims: - Goals: low- to mid-end environments Performance Example (by Jason S. Papadopoulos) PC: 366 MHz Intel Celeron; OS: Red Hat Linux 5.2; Compiler: egcs; optimization: -o3-mcpu = I686 - fomit - frame - pointer Block Enc/Dec : openSSL DES in-cache timing : 64B, 256B, 512B, 1KB, 2KB, 4KB, 8KB, 16KB, 64KB, 256 KB - aligned data on 8 byte boundary CBC-UMAC-MMX30 42.86 - 46.48 clocks / byte; and for 8B - 77.23 clocks/byte XCBC-XOR 43.38 - 44.62 clocks / byte; and for 8B - 49.57 clocks/byte - unaligned data (8 byte boundary +1) CBC-UMAC-MMX30 44.13 - 47.35 clocks / byte; and for 8B - 80.85 clocks/byte XCBC-XOR 44.38 - 45.00 clocks / byte; and for 8B - 49.58 clocks/byte GD - 10/20/00 16

  17. XECB - MAC Motivation - Stand-alone, fully parallel family of MACs, like the XOR-MAC • with better throughput • reasonable security bounds for EF- CPA - XORC (and ctr-mode) needs a MAC with similar mode characteristics using the same cryptographic primitive [ XORC, and ctr-mode, does not allow non-cryptographic “redundancy” function g(x) ] Preferred Operational Environment: High-End - XORC (ctr-mode) + XECB (or any other similar MAC) requires two keys => two separate passes in single processor , sequential implementations => approx. twice the power consumption and half speed of XCBC-XOR GD - 10/20/00 17

Recommend

Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1

Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1

Block cipher modes Generic Encryption Mode Our Approach Our Hoare Logic Result Conclusion Towards Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit

663 views • 35 slides
Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit e Grenoble 1, CNRS, Verimag , FRANCE 2 Department of

538 views • 29 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Depletion and mineral modes Mineral modes of peridotite are 48% Oli related to extent of melt

Depletion and mineral modes Mineral modes of peridotite are 48% Oli related to extent of melt

Lecture III: Mantle garnets as lithosphere proxies a major-element and temporal perspective Herman Grtter UBC Lectures - Mantle Indicators in modern use 30 October 2013 Depletion and mineral modes Mineral modes of peridotite are 48%

343 views • 8 slides
Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin

Automatic Proofs for Symmetric Encryption Modes e 2 Pascal Lafourcade 1 Yassine Lakhnech 1 Martin Gagn Reihaneh Safavi-Naini 2 1 Universit e Grenoble 1, CNRS, Verimag , FRANCE 2 Department of Computer Science, University of Calgary, Canada

400 views • 23 slides
Systems and Network Security (NETW-1002) Dr. Mohamed Abdelwahab Saleh IET-Networks, GUC Spring

Systems and Network Security (NETW-1002) Dr. Mohamed Abdelwahab Saleh IET-Networks, GUC Spring

Data Encryption Standard DES Modes of Operation Systems and Network Security (NETW-1002) Dr. Mohamed Abdelwahab Saleh IET-Networks, GUC Spring 2020 Data Encryption Standard DES Modes of Operation TOC Data Encryption Standard 1 DES Modes

424 views • 18 slides
AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software Andrey Bogdanov Martin M. Lauridsen Elmar Tischhauser mmeh @ dtu.dk DTU Compute, Technical University of Denmark DIAC 2014 Santa Barbara, August 24, 2014 Context

540 views • 19 slides
The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption

The Limited Power of Verification Queries in Message Authentication and Authenticated Encryption September 29, 2015 Atul Luykx, Bart Preneel, Kan Yasuda 1 / 15 Modes of Operation p E K F K E K 2 / 15 Modes of Operation p E K F K

428 views • 42 slides
One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University

One Time Pad, Block Ciphers, Encryption Modes Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Information Security 1 Basic Ciphers Shift Cipher Brute&amp;force attack can easily break Substitution Cipher Frequency

571 views • 35 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and

DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and

DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes Presented by N7MOT Lenny Gemar Amateur radio began with spark gap transmitters, evolving to Morse code and analog voice

442 views • 20 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
STUDENTS UNION PERSPECTIVE Overview Frank Robinson proposal Donor interest Peter

STUDENTS UNION PERSPECTIVE Overview Frank Robinson proposal Donor interest Peter

STUDENTS UNION PERSPECTIVE Overview Frank Robinson proposal Donor interest Peter Meekison brought on board Initiative launched Building plans for approval SU perspective Early Days Presentation to Deans Council

277 views • 10 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
Untagging Tor: A Formal Treatment of Onion Encryption Jean Paul Degabriele Martijn Stam 1

Untagging Tor: A Formal Treatment of Onion Encryption Jean Paul Degabriele Martijn Stam 1

Untagging Tor: A Formal Treatment of Onion Encryption Jean Paul Degabriele Martijn Stam 1 Outline of this talk Overview of Tor Tagging Attacks and Their Severity Modelling Onion Encryption Tor Proposal 261 and Security Analysis

731 views • 21 slides
Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1 Bart Mennink 1 Gilles Van Assche 2 Fast Software Encryption Paris, March 2019 1 Radboud University 2 STMicroelectronics 1 M 4 pad Hash function

800 views • 79 slides
ACTIVE MODES INFRASTRUCTURE GROUP 1 Walking and cycling (the Active Modes) have become an

ACTIVE MODES INFRASTRUCTURE GROUP 1 Walking and cycling (the Active Modes) have become an

ACTIVE MODES INFRASTRUCTURE GROUP 1 Walking and cycling (the Active Modes) have become an increasingly important component of the mode mix across the network. The Active Modes are considered a priority in the Safer Journeys strategy, which looks

247 views • 7 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides
perspective Dr Andrew Nance 07 November 2018 Agenda The Interconnector Proposal The

perspective Dr Andrew Nance 07 November 2018 Agenda The Interconnector Proposal The

RiverLink - The Proposed SA to NSW Interconnector from a consumer perspective Dr Andrew Nance 07 November 2018 Agenda The Interconnector Proposal The Identified Need the problem being solved The Context The Regulatory

533 views • 13 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2 What is Encryption? Want to prevent someone (an attacker) from accessing private data Permissions arent good enough Root user can

788 views • 20 slides
Section 16 Section 16 System Design a 16-1 1 Operating Modes Operating Modes a 16-2 2

Section 16 Section 16 System Design a 16-1 1 Operating Modes Operating Modes a 16-2 2

Section 16 Section 16 System Design a 16-1 1 Operating Modes Operating Modes a 16-2 2 Operating Modes User mode Causes exceptions when protected resources are accessed. May be used for algorithm/application code Supervisor mode

987 views • 64 slides

More recommend