pipelineable on line encryption with tag poet
play

Pipelineable On-Line Encryption with Tag (POET) Farzaneh Abed 2 Scott - PowerPoint PPT Presentation

Dec 31, 2023 •22 likes •642 views

Pipelineable On-Line Encryption with Tag (POET) Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1 Christian Forler 2 Eik List 2 Stefan Lucks 2 David McGrew 1 Jakob Wenzel 2 1 Cisco Systems, 2 Bauhaus-Universitt Weimar DIAC 2014 Santa Barbara, CA

  1. Pipelineable On-Line Encryption with Tag (POET) Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1 Christian Forler 2 Eik List 2 Stefan Lucks 2 David McGrew 1 Jakob Wenzel 2 1 Cisco Systems, 2 Bauhaus-Universität Weimar DIAC 2014 Santa Barbara, CA Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 1

  2. Outline Motivation 1 Case Study: OTN Decryption Misuse CAESAR Submission POET 2 Security of POET 3 Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 2

  3. Motivation Section 1 Motivation Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 3

  4. Motivation Case Study: OTN Case Study: Optical Transport Network (OTN) Task: Secure network traffic . . . Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 4

  5. Motivation Case Study: OTN Case Study: Optical Transport Network (OTN) Task: Secure network traffic . . . . . . of real-time applications . . . Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 4

  6. Motivation Case Study: OTN Case Study: Optical Transport Network (OTN) Task: Secure network traffic . . . . . . of real-time applications . . . . . . in an Optical Transport Network (OTN) Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 4

  7. Motivation Case Study: OTN Case Study: Optical Transport Network (OTN) Task: Secure network traffic . . . . . . of real-time applications . . . . . . in an Optical Transport Network (OTN) High throughput (40 - 100 Gbit/s) Low latency (few clock cycles) Large message frames (64 KB) (usually consist of multiple TCP/IP or UDP/IP packages) Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 4

  8. Motivation Case Study: OTN Requirements for OTNs Security requirements: Data privacy (IND-CPA), and Data integrity (INT-CTXT) Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 5

  9. Motivation Case Study: OTN Requirements for OTNs Security requirements: Data privacy (IND-CPA), and Data integrity (INT-CTXT) Functional requirements: On-line encryption/decryption Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 5

  10. Motivation Case Study: OTN Problem and Workarounds Problem: High Latency of Authenticated Decryption 1 Decryption of the entire message 2 Verification of the authentication tag For 64-kB frames we have 4,096 ciphertext blocks (128 bits) Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 6

  11. Motivation Case Study: OTN Problem and Workarounds Problem: High Latency of Authenticated Decryption 1 Decryption of the entire message 2 Verification of the authentication tag For 64-kB frames we have 4,096 ciphertext blocks (128 bits) Workarounds: Decrypt-then-mask? [Fouque et al. 03] ⇒ latency again Pass plaintext beforehand and hope. . . Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 6

  12. Motivation Case Study: OTN Problem and Workarounds Problem: High Latency of Authenticated Decryption 1 Decryption of the entire message 2 Verification of the authentication tag For 64-kB frames we have 4,096 ciphertext blocks (128 bits) Workarounds: Decrypt-then-mask? [Fouque et al. 03] ⇒ latency again Pass plaintext beforehand and hope. . . Drawbacks: Plaintext information would leak if authentication tag invalid Literature calls this setting decryption-misuse [Fleischmann, Forler, and Lucks 12] Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 6

  13. Motivation Decryption Misuse How Severe is Decryption-Misuse? Puts security at high risk CCA-adversary may inject controlled manipulations Particularly, CTR-mode based AE schemes C ⊕ ∆ → Dec M ⊕ ∆ Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 7

  14. Motivation Decryption Misuse How Severe is Decryption-Misuse? Puts security at high risk CCA-adversary may inject controlled manipulations Particularly, CTR-mode based AE schemes C ⊕ ∆ → Dec M ⊕ ∆ Decryption-misuse is not covered by existing CCA3-security proofs Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 7

  15. Motivation Decryption Misuse Decryption Misuse Resistance Best to wish for: Manipulation of ciphertext block C i ⇒ completely random plaintext Contradiction to on-line requirement Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 8

  16. Motivation Decryption Misuse Decryption Misuse Resistance Best to wish for: Manipulation of ciphertext block C i ⇒ completely random plaintext Contradiction to on-line requirement What can we achive with an on-line encryption scheme? Manipulation of C i ⇒ M i , M i + 1 , . . . random garbage Adversary sees at best common message prefixes Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 8

  17. Motivation Decryption Misuse Decryption Misuse Resistance Best to wish for: Manipulation of ciphertext block C i ⇒ completely random plaintext Contradiction to on-line requirement What can we achive with an on-line encryption scheme? Manipulation of C i ⇒ M i , M i + 1 , . . . random garbage Adversary sees at best common message prefixes The security notion of OPRP-CCA covers this behaviour [Bellare et al. 01] Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 8

  18. Motivation Decryption Misuse On-Line Permutation P 1 P 2 P 3 P 4 P 5 Encrypt C 3 C 4 C 5 C 1 C 2 C' 3 C' 4 C' 5 Encrypt P 1 P 2 P' 3 P 4 P 5 On-Line Pseudo Random Permutation (OPRP) Like a PRP with the following property: Plaintexts with common prefix → ciphertexts with common prefix (Bellare et al.; “Online Ciphers and the Hash-CBC Construction”; CRYPTO’01) Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 9

  19. Motivation Decryption Misuse OPRP-CCA Definition (OPRP-CCA Advantage) Let P be a random on-line permutation, Π = ( K , E , D ) an on-line $ encryption scheme, k ← K () , and A be an adversary. Then we have � � A E k ( . ) , D k ( . ) = � � A P ( . ) , P − 1 ( . ) = �� Adv OPRP-CCA ( A ) = � Pr ⇒ 1 − ⇒ 1 � � Π � Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 10

  20. Motivation Decryption Misuse Intermediate (Authentication) Tags Assume an OPRP-CCA secure encryption scheme Recap: Modifying C i = ⇒ M i , M i + 1 , . . . , M M random garbage Redundancy in the plaintext (e.g., checksum) Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 11

  21. Motivation Decryption Misuse Intermediate (Authentication) Tags Assume an OPRP-CCA secure encryption scheme Recap: Modifying C i = ⇒ M i , M i + 1 , . . . , M M random garbage Redundancy in the plaintext (e.g., checksum) = ⇒ intermediate authentication tags Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 11

  22. Motivation Decryption Misuse Intermediate (Authentication) Tags Assume an OPRP-CCA secure encryption scheme Recap: Modifying C i = ⇒ M i , M i + 1 , . . . , M M random garbage Redundancy in the plaintext (e.g., checksum) = ⇒ intermediate authentication tags Common network packets (TCP/IP , UDP/IP) have a checksum = ⇒ OTN: 16-bit integrity for free (per packet) Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 11

  23. CAESAR Submission POET Section 2 CAESAR Submission POET Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 12

  24. CAESAR Submission POET Pipeline On-Line Encryption (POE) M b − 1 M 1 M 2 τ X b − 2 F K 1 F K 1 X 2 F K 1 ... E E E τ Y 2 Y b − 2 F K 2 F K 2 F K 2 C 1 C 2 C b − 1 POE is a OPRP-CCA secure enc scheme [Abed et al. 14] Actually, it provides birthday bound security POE is used to process a message or ciphertext Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 13

  25. CAESAR Submission POET POET Header Processing H a − 1 H a || 10 ∗ H 1 H 2 H a L 2 L 2 a − 2 L 2 a − 2 3 L 2 a − 2 5 L K K K E E E ... ... K K E E τ τ We just borrowed the PMAC design [Black & Rogaway 02] Nonce is (part of) the header Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 14

  26. CAESAR Submission POET POET M b − 1 M b || τ α M 1 M 2 τ L T E K ( | M | ) F K 1 F K 1 F K 1 F K 1 F K 1 τ X 2 X b − 2 ... E E E E E F K 2 F K 2 F K 2 F K 2 F K 2 τ Y 2 Y b − 2 L T E K ( | M | ) T β || Z C 1 C 2 C b − 1 C b || T α Well pipelineable 1 BC + 2 AXU hash-function ( F ) calls per block Borrows tag-splitting procedure from McOE Robust against nonce- and decryption-misuse Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 15

  27. CAESAR Submission POET Requirements for F Basic Assumption ( F is AXU) F : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n is ǫ -AXU Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 16

  28. CAESAR Submission POET Requirements for F Basic Assumption ( F is AXU) F : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n is ǫ -AXU Further Assumption (Cascade F b is AXU) F b κ ( X ) := F κ ( . . . ( F κ ( X 1 ) ⊕ X 2 ) , . . . ) ⊕ X b ) is b · ǫ -AXU Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 16

  29. CAESAR Submission POET Requirements for F Basic Assumption ( F is AXU) F : { 0 , 1 } k × { 0 , 1 } n → { 0 , 1 } n is ǫ -AXU Further Assumption (Cascade F b is AXU) F b κ ( X ) := F κ ( . . . ( F κ ( X 1 ) ⊕ X 2 ) , . . . ) ⊕ X b ) is b · ǫ -AXU Thanks to Mridul Nandi for pointing out this implicit assumption for F in our inital version Cisco Systems, Bauhaus-Universität Weimar POET DIAC 2014 16

Recommend

Pipelineable On-Line Encryption (POE) FSE 2014 Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1

Pipelineable On-Line Encryption (POE) FSE 2014 Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1

Pipelineable On-Line Encryption (POE) FSE 2014 Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1 Christian Forler 2 Eik List 2 Stefan Lucks 2 David McGrew 1 Jakob Wenzel 2 1 Cisco Systems, 2 Bauhaus-Universitt Weimar March 3, 2014 London, UK Cisco

895 views • 50 slides
Poet: Prototype Object Extension for Tcl poet.sourceforge.net Tcl'2007 New Orleans Poet Poet:

Poet: Prototype Object Extension for Tcl poet.sourceforge.net Tcl'2007 New Orleans Poet Poet:

Phil Mercurio Thyrd.org Poet: Prototype Object Extension for Tcl poet.sourceforge.net Tcl'2007 New Orleans Poet Poet: Prototype Object Extension for Tcl Dynamic, prototype-based inheritance One-way constraints Persistence Assimilation of

359 views • 20 slides
Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter

Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter

Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 3 Page 1 CS 236 Online Outline What is data encryption? Cryptanalysis Basic encryption methods Substitution ciphers

766 views • 21 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
PoET-BiN: Power Efficient Tiny Binary Neurons Sivakumar Chidambaram 1 , J.M. Pierre Langlois 2 ,

PoET-BiN: Power Efficient Tiny Binary Neurons Sivakumar Chidambaram 1 , J.M. Pierre Langlois 2 ,

Introduction Background PoET-BiN Experimental setup and results Conclusion PoET-BiN: Power Efficient Tiny Binary Neurons Sivakumar Chidambaram 1 , J.M. Pierre Langlois 2 , Jean Pierre David 1 Department of Electrical Engineering 1 Department

243 views • 20 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
CHAIRS REPORT Park Board Committee Meeting Monday, June 18, 2018 May 15: City Poet Laureate

CHAIRS REPORT Park Board Committee Meeting Monday, June 18, 2018 May 15: City Poet Laureate

CHAIRS REPORT Park Board Committee Meeting Monday, June 18, 2018 May 15: City Poet Laureate City Hall Commissioner Evans joined Musqueam hip-hop artist Christie Charles who was named Vancouvers fifth poet laureate. May 18: Kits Pool Media

450 views • 20 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides
Generating Topical Poetry Marjan Ghazvininejad Xing Shi, Yejin Choi, Kevin Knight Hafez: a Poet

Generating Topical Poetry Marjan Ghazvininejad Xing Shi, Yejin Choi, Kevin Knight Hafez: a Poet

Generating Topical Poetry Marjan Ghazvininejad Xing Shi, Yejin Choi, Kevin Knight Hafez: a Poet From Shiraz, Iran Hafez: a Poet From ISI A system that creates computer generated poems - Any user-supplied topic - Any number of distinct poems

597 views • 59 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2 What is Encryption? Want to prevent someone (an attacker) from accessing private data Permissions arent good enough Root user can

788 views • 20 slides
Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Prior Secret Exchange PubK SK 2 Functional Encryption [SW05] Functionality: f( , ) MSK Authority Key: y 2 {0,1}* y SK CT: x

945 views • 16 slides
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universit at Weimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE: A Family . . . 1

473 views • 28 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
Lecture 3 Encryption Suggested readings: Chs 1 & 2 in KPS Ch 1 in Stinson

Lecture 3 Encryption Suggested readings: Chs 1 & 2 in KPS Ch 1 in Stinson

Lecture 3 Encryption Suggested readings: Chs 1 & 2 in KPS Ch 1 in Stinson (recommended) 1 Encryption Principles A cryptosystem has (at least) five ingredients: 1. Plaintext 2. Secret Key 3. Ciphertext 4. Encryption algorithm 5.

657 views • 12 slides
Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption Standardization Consortium HomomorphicEncryption.org 0.1 Presenters Roger A. Hallman (SPAWAR Systems Center Pacific; Thayer School of

1.36k views • 91 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption

Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption

Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption Standard AES - Advanced Encryption Standard US governmental encryption standard Open (world) competition announced January 97 Blocks: 128 bits Keys:

403 views • 39 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key Management Service Client Side Encryption AWS Encryption SDK Server Side Encryption S3 Object Encryption Amazon Simple Storage Service

387 views • 22 slides
Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption Changhyun Lee, Yeonju Choi, Hyeongmin Park, Kangbin Yim, and Sun-Young Lee Soonchunhyang University IMIS 2019 Presenter: Brandon Falk (

645 views • 21 slides
OPES and E2E Encryption Should OPES be compatible with end-to- end encryption? Define

OPES and E2E Encryption Should OPES be compatible with end-to- end encryption? Define

OPES and E2E Encryption Should OPES be compatible with end-to- end encryption? Define compatible Define the trust model Discuss pro and con Decide, spec, implement Goal: combine confidentiality with services, if

470 views • 11 slides
Addressing Your Number 1 Security Risk: Data Privacy, Data Encryption A Complimentary

Addressing Your Number 1 Security Risk: Data Privacy, Data Encryption A Complimentary

Addressing Your Number 1 Security Risk: Data Privacy, Data Encryption A Complimentary Webinar From healthsystemCIO.com Sponsored by Proofpoint Your Line Will Be Silent Until Our Event Begins at 12:00 ET Thank You! Slide Deck:

468 views • 22 slides

More recommend