reconsidering the security bound of aes gcm siv
play

Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and - PowerPoint PPT Presentation

Dec 14, 2022 •395 likes •1.11k views

Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya University, Japan 2 ANSSI, France March 7, 2018 FSE 2018

  1. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya University, Japan 2 ANSSI, France March 7, 2018 — FSE 2018 T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 1 / 26

  2. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26

  3. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26

  4. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26

  5. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Summary of the contribution • we reconsider the security of the AEAD scheme AES-GCM-SIV designed by Gueron, Langley, and Lindell • we identify flaws in the designers’ security analysis and propose a new security proof • our findings leads to significantly reduced security claims, especially for long messages • we propose a simple modification to the scheme (key derivation function) improving security without efficiency loss T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 2 / 26

  6. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Outline Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 3 / 26

  7. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Outline Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 4 / 26

  8. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  9. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  10. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  11. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  12. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  13. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  14. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

  15. Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks History of (AES)-GCM-(SIV) AEAD schemes • GCM [MV04] • CTR encryption + Wegman-Carter MAC • Encrypt-then-MAC composition • widely deployed, not nonce-misuse resistant [Jou06, BZD + 16] • GCM-SIV [GL15] • same components as GCM • Synthetic IV (SIV) composition [RS06] • nonce-misuse resistant • AES-GCM-SIV [GLL16, GLL17] • � = GCM-SIV instantiated with AES • similar to GCM-SIV but three modifications: • universal hash function (POLYVAL instead of GHASH) • full-block counter • nonce-based key derivation ( K , N ) �→ ( K polyval , K BC ) • proposed for standardization at IETF CFRG T. Iwata and Y. Seurin Reconsidering AES-GCM-SIV’s Security FSE 2018 5 / 26

Recommend

OS Structure and Performance OS Structure and Performance Reconsidering the Kernel Interface

OS Structure and Performance OS Structure and Performance Reconsidering the Kernel Interface

OS Structure and Performance OS Structure and Performance Reconsidering the Kernel Interface Reconsidering the Kernel Interface Mach and NT are representative of systems that seek to provide richer, more general kernel interfaces than Unix.

523 views • 23 slides
Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart

Short Variable Length Domain Extenders With Beyond Birthday Bound Security Yu Long Chen 1 Bart Mennink 2 Mridul Nandi 3 imec-COSIC, KU Leuven Digital Security Group, Radboud University, Nijmegen Indian Statistical Institute, Kolkata December 3,

854 views • 47 slides
Reconsidering the Consequences of Worker Displacements: Survey versus Administrative Measurements

Reconsidering the Consequences of Worker Displacements: Survey versus Administrative Measurements

Reconsidering the Consequences of Worker Displacements: Survey versus Administrative Measurements Aaron Flaaen 1 Matthew Shapiro 2 3 Isaac Sorkin 2 4 1 Federal Reserve Board 2 University of Michigan 3 NBER 4 FRB Chicago SIEPR Conference on

704 views • 43 slides
1 Mach Overview Mach Overview Mach Mach Mach is more general than NT in that objects named by

1 Mach Overview Mach Overview Mach Mach Mach is more general than NT in that objects named by

Reconsidering the Kernel Interface Reconsidering the Kernel Interface Mach and NT are representative of systems that seek to provide richer, more general kernel interfaces than Unix. decouple elements of process abstraction OS Structure and

256 views • 4 slides
Reconsidering the Internet Routing Architecture Olivier Bonaventure Universit catholique de

Reconsidering the Internet Routing Architecture Olivier Bonaventure Universit catholique de

Reconsidering the Internet Routing Architecture Olivier Bonaventure Universit catholique de Louvain, Belgium March 12, 2007 1 Introduction The current growth of the BGP routing tables [15] and Forwarding Information bases (FIB) on core

299 views • 9 slides
GPUdrive : Reconsidering Storage Accesses for GPU Acceleration Mustafa Shihab, Karl Taht, and

GPUdrive : Reconsidering Storage Accesses for GPU Acceleration Mustafa Shihab, Karl Taht, and

GPUdrive : Reconsidering Storage Accesses for GPU Acceleration Mustafa Shihab, Karl Taht, and Myoungsoo Jung Computer Architecture and Memory Systems Laboratory Department of Electrical Engineering The University of Texas at Dallas Takeaways

582 views • 22 slides
Curriculum Why we are reconsidering the curriculum at Little Paxton Presentation by the Head

Curriculum Why we are reconsidering the curriculum at Little Paxton Presentation by the Head

Curriculum Why we are reconsidering the curriculum at Little Paxton Presentation by the Head Teacher to the Curriculum & Standards Committee 3/6/19 The difference between the National Curriculum and what is meant by the curriculum The

347 views • 9 slides
Consistency Analysis for Massively Inconsistent Datasets in Bound-to-Bound Data Collaboration

Consistency Analysis for Massively Inconsistent Datasets in Bound-to-Bound Data Collaboration

Consistency Analysis for Massively Inconsistent Datasets in Bound-to-Bound Data Collaboration Arun Hegde Wenyu Li James Oreluk Andrew Packard Michael Frenklach December 19, 2017 Abstract Bound-to-Bound Data Collaboration

462 views • 32 slides
Timeless Theory vs. Changing Users: Reconsidering Database Education Purpose of the Session

Timeless Theory vs. Changing Users: Reconsidering Database Education Purpose of the Session

Timeless Theory vs. Changing Users: Reconsidering Database Education Purpose of the Session Demonstration of subject matter mastery, teaching skills But theme topic required Focus on my two divergent roles Database and application

445 views • 28 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp ESC, Echternach Symmetric Crypto seminar January 11, 2008 Blockcipher plaintext M

576 views • 40 slides
Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata

Authenticated Encryption Mode for Beyond the Birthday Bound Security Tetsu Iwata Nagoya University iwata@cse.nagoya-u.ac.jp Africacrypt 2008, Casablanca, Morocco June 11, 2008 Blockcipher plaintext M key K E

720 views • 37 slides
Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and

Tweakable blockciphers with beyond-birthday-bound security Will Landecker, Thomas Shrimpton, and Seth Terashima Portland State University 1 Tweakable blockciphers (TBCs) Tweak T Input block X ( bits) ( n bits) Add an extra input, a

732 views • 21 slides
The lattice model (continued) This satisfies the definition of lattice. There is a single

The lattice model (continued) This satisfies the definition of lattice. There is a single

The lattice model (continued) This satisfies the definition of lattice. There is a single source and sink. The least upper bound of the security classes {x} and {z} is {x,z} and the greatest lower bound of the security classes {x,y} and

698 views • 31 slides
New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata

New Blockcipher Modes of Operation with Beyond the Birthday Bound Security Tetsu Iwata Ibaraki University March 17, 2006 Fast Software Encryption, FSE 2006, Graz, Austria, March 1517, 2006 Blockcipher Modes Algorithms

1.42k views • 30 slides
Reconsidering green industrial policy: Does techno-nationalism maximise green growth in the

Reconsidering green industrial policy: Does techno-nationalism maximise green growth in the

Reconsidering green industrial policy: Does techno-nationalism maximise green growth in the domestic economy? Addressing political economy concerns of investing in green industrial policy with increasing global competition in supplying green

534 views • 42 slides
if H has a b reak p oint k m H ( N ) Hoeffding Inequality Union Bound VC Bound

if H has a b reak p oint k m H ( N ) Hoeffding Inequality Union Bound VC Bound

Review of Leture 6 The V C Inequalit y is p olynomial if H has a b reak p oint k m H ( N ) Hoeffding Inequality Union Bound VC Bound space of k data sets 1 2 3 4 5 6 . . . 1 1 2 2 2 2 2 . . D 2

530 views • 25 slides
Branch & Bound Branch & Bound: A General Framework for ILPs Introduced in the 1960s

Branch & Bound Branch & Bound: A General Framework for ILPs Introduced in the 1960s

Hands-on Tutorial on Optimization F. Eberle, R. Hoeksma, and N. Megow September 25, 2019 Branch & Bound Branch & Bound: A General Framework for ILPs Introduced in the 1960s by Land and Doig Based on two principle ideas 1.

615 views • 36 slides
Branch and Bound CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Branch and Bound An

Branch and Bound CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Branch and Bound An

Branch and Bound CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Branch and Bound An algorithm design technique, primarily for solving hard optimization problems Guarantees that the optimal solution will be found Does not

1.12k views • 49 slides
Risk Management at Outward Bound Australia Outward Bound Australia would like you to know that

Risk Management at Outward Bound Australia Outward Bound Australia would like you to know that

Risk Management at Outward Bound Australia Outward Bound Australia would like you to know that your childs safety is our number one priority. This year as we set out together to challenge and inspire your child, we hope that the following

350 views • 8 slides
Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian

Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian

History of WCS Outline Known Security Analysis Our Works Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian Statistical Institute, Kolkata CRYPTO 2018 History of WCS Outline Known Security Analysis Our

834 views • 57 slides
The p d -> 3 He and K - 3 He -> np reactions and bound nuclear states E. Oset, J.J.

The p d -> 3 He and K - 3 He -> np reactions and bound nuclear states E. Oset, J.J.

The p d -> 3 He and K - 3 He -> np reactions and bound nuclear states E. Oset, J.J. Xie, W. H. Liang, P. Moskal, M.Skurzok, C. Wilkin, T. Sekihara, A. Ramos The p d -> 3 He reaction close to threshold 3 He bound state The K-

301 views • 26 slides
Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo,

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo, Jonathan Katz, Xiao Wang, Chenkai Weng, Yu Yu All widely used GCs have a birthday-bound security Explicit attack GC based on fix-key block cipher

313 views • 7 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

1.05k views • 67 slides
On the maximum of the characteristic polynomial of the Circular Beta Ensemble Joseph Najnudel

On the maximum of the characteristic polynomial of the Circular Beta Ensemble Joseph Najnudel

Presentation of the setting Statement of the main result Orthogonal polynomial on the unit circle Sketch of proof of a non-sharp upper bound Sketch of proof of a sharper upper bound Strategy for a lower bound On the maximum of the

930 views • 63 slides

More recommend