online authenticated encryption and its nonce reuse
play

Online Authenticated Encryption and its Nonce-Reuse - PowerPoint PPT Presentation

Nov 01, 2023 •220 likes •730 views

Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza Reyhanitabar 2 Phillip Rogaway 3 Damian Vizr 4 1 UC, Santa Barbara 2 NEC Laboratories Europe, Germany 3 UC Davis 4 EPFL, Switzerland 6th Asian Workshop

  1. Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza Reyhanitabar 2 Phillip Rogaway 3 Damian Vizár 4 1 UC, Santa Barbara 2 NEC Laboratories Europe, Germany 3 UC Davis 4 EPFL, Switzerland 6th Asian Workshop on Symmetric Key Cryptography This work was partially supported by Microsoft Research D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 1 / 21

  2. “Online Authenticated Encryption” Popular topic � Several definitional works related to online AE (blockwise attacks, CCA definition and online decryption, nonce misuse resistance, streaming channels) Popular target � CAESAR 1st round: 11 + 6 schemes claim online nonce misuse-resistance (or a variant) � New OAE construction presented at DIAC 2016 Repeatedly a point of discussion � Definitional works appearing over a large timespan (2003 - now) � When is an AE scheme online? � When is an AE scheme online and nonce misuse-resistant? D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 2 / 21

  3. “Online Authenticated Encryption” Popular topic � Several definitional works related to online AE (blockwise attacks, CCA definition and online decryption, nonce misuse resistance, streaming channels) Popular target � CAESAR 1st round: 11 + 6 schemes claim online nonce misuse-resistance (or a variant) � New OAE construction presented at DIAC 2016 Repeatedly a point of discussion � Definitional works appearing over a large timespan (2003 - now) � When is an AE scheme online? � When is an AE scheme online and nonce misuse-resistant? D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 2 / 21

  4. Nonce-based AEAD [Rogaway 02] Enc : K × N × A × M → { 0 , 1 } ∗ + decryptability Dec : K × N × A × { 0 , 1 } ∗ → M ∪ {⊥} N, A, M Enc K ( · , · , · ) $( · , · , · ) A C C Dec K ( · , · , · ) N, A, C ⊥ ( · , · , · ) M/ ⊥ ⊥ N never repeats, ( N , A , C ) not trivially correct A Enc K ( · , · , · ) , Dec K ( · , · , · ) ⇒ 1 A $( · , · , · ) , ⊥ ( · , · , · ) ⇒ 1 � � � � Adv nAE ( A ) = Pr − Pr Π D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 3 / 21

  5. Nonce-based AEAD [Rogaway 02] Enc : K × N × A × M → { 0 , 1 } ∗ + decryptability Dec : K × N × A × { 0 , 1 } ∗ → M ∪ {⊥} N, A, M Enc K ( · , · , · ) $( · , · , · ) A C C Dec K ( · , · , · ) N, A, C ⊥ ( · , · , · ) M/ ⊥ ⊥ N never repeats, ( N , A , C ) not trivially correct A Enc K ( · , · , · ) , Dec K ( · , · , · ) ⇒ 1 A $( · , · , · ) , ⊥ ( · , · , · ) ⇒ 1 � � � � Adv nAE ( A ) = Pr − Pr Π � Efficient, good guarantees . . . unless nonces repeat � D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 3 / 21

  6. Nonce Misuse-Resistant AE [Rogaway, Shrimpton 06] Enc : K × N × A × M → { 0 , 1 } ∗ + decryptability Dec : K × N × A × { 0 , 1 } ∗ → M ∪ {⊥} N, A, M Enc K ( · , · , · ) $( · , · , · ) A C C Dec K ( · , · , · ) N, A, C ⊥ ( · , · , · ) M/ ⊥ ⊥ ( N , A , M ) never repeats, ( N , A , C ) not trivially correct A Enc K ( · , · , · ) , Dec K ( · , · , · ) ⇒ 1 A $( · , · , · ) , ⊥ ( · , · , · ) ⇒ 1 � � � � Adv MRAE ( A ) = Pr − Pr Π � Only full repetitions of ( N , A , M ) are leaked now, full integrity D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 3 / 21

  7. Online Authenticated Encryption Functionality Perspective M = 00101110010100101011010111 . . . E K MEM CPU limited indep. of | M | C = 10001111010101000101 . . . time Extremely constrained devices Jitter-sensitive applications Performance-critical applications Latency-sensitive applications D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 4 / 21

  8. Misuse-Resistant Online AE? Onlineness at odds with MRAE security: ◮ MRAE: every bit of C must depend on all bits of M ◮ online AE: can’t wait for all of M to compute C D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 5 / 21

  9. Misuse-Resistant Online AE? Onlineness at odds with MRAE security: ◮ MRAE: every bit of C must depend on all bits of M ◮ online AE: can’t wait for all of M to compute C Fleischmann, Forler, Lucks: Online nonce misuse-resistant AE (OAE) Promise a notion and schemes both ◮ nonce misuse-resistant: retains security in presence of nonce repetition ◮ online: single-pass encryption with O(1) of memory → Call it OAE1 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 5 / 21

  10. Online Ciphers [Bellare, Boldyreva, Knudsen, Namprempre 01] Multiple of n strings B ∗ n (with B n = { 0 , 1 } n ) Length preserving E : K × B ∗ n → B ∗ n M 1 M 2 M 3 M 4 E K C 1 C 2 C 3 C 4 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 6 / 21

  11. Online Ciphers [Bellare, Boldyreva, Knudsen, Namprempre 01] Multiple of n strings B ∗ n (with B n = { 0 , 1 } n ) Length preserving E : K × B ∗ n → B ∗ n M 1 M 2 M 3 M 4 M 1 M 2 M 3 M 4 π E K A C 1 C 2 C 3 C 4 C 1 C 2 C 3 C 4 ( A ) = Pr [ A E K ⇒ 1 ] − Pr [ A π ⇒ 1 ] Adv oprp E with π ← $ OPerm [ n ] D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 6 / 21

  12. Online Ciphers [Bellare, Boldyreva, Knudsen, Namprempre 01] Multiple of n strings B ∗ n (with B n = { 0 , 1 } n ) Length preserving E : K × B ∗ n → B ∗ n M 1 M 2 M ′ 3 M ′ M 1 M 2 M 3 M 4 4 π E K A C ′ C ′ C 1 C 2 C 3 C 4 C 1 C 2 3 4 ( A ) = Pr [ A E K ⇒ 1 ] − Pr [ A π ⇒ 1 ] Adv oprp E with π ← $ OPerm [ n ] OPerm [ n ] set of all φ s.t. φ is length preserving permutation over B n for all X , Y , Y ′ ∈ B n , φ ( X � Y ) and φ ( X , Y ′ ) share prefix of | X | bits D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 6 / 21

  13. OAE1 [Fleischman,Forler,Lucks 12] A multiple of n AE cipher is a triplet Π = ( K , E , D ) E : K × H × M → { 0 , 1 } ∗ D : K × H × { 0 , 1 } ∗ → B ∗ n ∪ {⊥} with M = B ∗ n and decryptability condition. Assume | C | = | M | + τ . D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 7 / 21

  14. OAE1 [Fleischman,Forler,Lucks 12] A multiple of n AE cipher is a triplet Π = ( K , E , D ) E : K × H × M → { 0 , 1 } ∗ D : K × H × { 0 , 1 } ∗ → B ∗ n ∪ {⊥} with M = B ∗ n and decryptability condition. Assume | C | = | M | + τ . M 1 M 2 M 3 M 4 Privacy OPerm [ n ] + random tag E K H τ + C 1 C 2 C 3 C 4 T Authenticity This should look like This should look like image of online permutation a random string Unforgeability for every H D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 7 / 21

  15. OAE1 Security Notion • for all H do π H ← $ OPerm[ n ] • for all H, M do • K ← $ K R H,M ← $ { 0 , 1 } τ H, M Enc K ( · , · ) π H ( · ) � R H,M A C C Dec K ( · , · ) H, C ⊥ ( · , · ) M/ ⊥ ⊥ ( A ) = Pr [ A E K ⇒ 1 ] − Pr [ A π ⇒ 1 ] Adv oprp E H , C must not be obtained via previous encryption D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 8 / 21

  16. OAE1 Attacks Trivial Attack: OAE1 schemes preserve LCP [ n ] ◮ for X , Y ∈ B ∗ n , LCP [ n ]( X , Y ) is longest common blockwise prefix D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 9 / 21

  17. OAE1 Attacks Trivial Attack: OAE1 schemes preserve LCP [ n ] ◮ for X , Y ∈ B ∗ n , LCP [ n ]( X , Y ) is longest common blockwise prefix Given C = Enc ( H , M 1 � M 2 � M 3 ) obtain M = M 1 � M 2 � M 3 M ← ε 1 C 1 C 2 C 3 T for i = 1 to 3 2 find B ∈ B n s.t. 1 LCP [ n ]( C , Enc ( H , M � B )) = 1 M ← M � B 2 return M 3 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 9 / 21

  18. OAE1 Attacks Trivial Attack: OAE1 schemes preserve LCP [ n ] ◮ for X , Y ∈ B ∗ n , LCP [ n ]( X , Y ) is longest common blockwise prefix Given C = Enc ( H , M 1 � M 2 � M 3 ) obtain M = M 1 � M 2 � M 3 M ← ε 1 C 1 C 2 C 3 T for i = 1 to 3 2 C 1 T ′ find B ∈ B n s.t. 1 LCP [ n ]( C , Enc ( H , M � B )) = 1 M ← M � B 2 return M 3 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 9 / 21

  19. OAE1 Attacks Trivial Attack: OAE1 schemes preserve LCP [ n ] ◮ for X , Y ∈ B ∗ n , LCP [ n ]( X , Y ) is longest common blockwise prefix Given C = Enc ( H , M 1 � M 2 � M 3 ) obtain M = M 1 � M 2 � M 3 M ← ε 1 C 1 C 2 C 3 T for i = 1 to 3 2 C 1 T ′ find B ∈ B n s.t. 1 C 1 C 2 T ∗ LCP [ n ]( C , Enc ( H , M � B )) = 1 M ← M � B 2 return M 3 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 9 / 21

  20. OAE1 Attacks Trivial Attack: OAE1 schemes preserve LCP [ n ] ◮ for X , Y ∈ B ∗ n , LCP [ n ]( X , Y ) is longest common blockwise prefix Given C = Enc ( H , M 1 � M 2 � M 3 ) obtain M = M 1 � M 2 � M 3 M ← ε 1 C 1 C 2 C 3 T for i = 1 to 3 2 C 1 T ′ find B ∈ B n s.t. 1 C 1 C 2 T ∗ LCP [ n ]( C , Enc ( H , M � B )) = 1 M ← M � B 2 C 1 C 2 C 3 T return M 3 D. Vizár (EPFL) Online AE and Nonce Misuse-Resistance ASK 2016 9 / 21

Recommend

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science & Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Online Authenticated Encryption Reza Reyhanitabar EPFL Switzerland ASK 2015 30 Sept - 3 Oct

Online Authenticated Encryption Reza Reyhanitabar EPFL Switzerland ASK 2015 30 Sept - 3 Oct

Online Authenticated Encryption Reza Reyhanitabar EPFL Switzerland ASK 2015 30 Sept - 3 Oct Singapore 1/34 Agenda I. The Emergence of Online-AE (OAE) II. Definitions of Security Notions III. Our New Security Definitions(s) and

495 views • 34 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per

GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per

` GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per Byt yte Shay Gueron Yehuda Lindell Bar-Ilan University Haifa Univ. and Intel Appeared at ACM CCS 2015 ` How to Encry rypt wit ith a Blo

684 views • 30 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi

894 views • 35 slides
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

956 views • 28 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity separately: Goal Primitive Security notion Data privacy symmetric encryption IND-CPA Data authenticity MAC UF-CMA Mihir Bellare UCSD 1

105 views • 9 slides
Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

On A SCON and I SAP About Two Authenticated Encryption Schemes Christoph Dobraunig October 2018 Designed by: . Mendel, M. Schl A SCON : C. Dobraunig, M. Eichlseder, F affer I SAP : C. Dobraunig, M. Eichlseder, S. Mangard, F . Mendel, T.

987 views • 40 slides

More recommend