the evolution of authenticated encryption
play

The Evolution of Authenticated Encryption Phillip Rogaway - PowerPoint PPT Presentation

Sep 19, 2023 •209 likes •748 views

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

  1. The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC — Directions in Authenticated Ciphers 05 July 2012 Stockholm, Sweden 1/ 52

  2. 1. Introduction Today The recognition of AE as a useful “thing” - Modes that don’t work - 2. Definitions and constructions Defining AE - - Generic composition Historically - RPC, XCBC$, IAPM, OCB ordered Defining nonce-based AEAD - - CCM - GCM - OCB, again Defining MRAE - - SIV 3. Discussion Taxonomy - - Patents - Suggestions Sample research questions - 2/ 52

  3. Authenticated Encryption (AE) Promises two benefits 1. An easier-to-correctly-use abstraction boundary 2. More efficient realizations Begins with two realizations regarding symmetric encryption “Integrity” /“authenticity” is routinely needed 1. “Standard” privacy mechanisms don’t provide it 2. 1. Introduction 3/ 52

  4. Check / insert redundancy No authenticity for any S = f ( P ) CBC 1. Introduction 4/ 52

  5. Add more arrows PCBC See: Yu, Hartman, Raeburn 2004 “ The Perils of Unauthenticated Encryption: Kerberos Version 4” 5/ 52

  6. Still more arrows/operations iaPCBC [Gligor, Donescu 1999] Promptly broken by Jutla (1999) and by Ferguson, Whiting, Kelsey, Wagner (1999) 1. Introduction 6/ 52

  7. Emerging understanding that: Beyond IND-CPA privacy was often desirable - Didn’t come with standard encryption methods - ~2000 Simple ways to try to get it cheaply don’t work - Similar realizations in the public- key world … [Bleichenbacher 1998] – “A chosen ciphertext attack against protocols - based on the RSA encryption standard PKCS #1” - Reaction was that IND-CPA security was not enough CCA1 security (Naor-Yung 1990) - CCA2 security (Rackoff-Simon 1991) - Non-malleability (Dolev-Dwork-Naor 1991) - 1. Introduction 7/ 52

  8. AE Def ined [ Bellare, Rogaway 2000 ] – “Encode -then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography” [ Katz, Yung 2000 ] – “Unforgeable encryption and chosen ciphertext secure modes of operation” coins C C Dec M Enc M or ^ K K • Conventional privacy [BDJR97]: Indistinguishability / semantic security. • Authenticity : The only ciphertexts C that will decrypt to something valid are those previously obtained by an Enc (·) call. 2. Definitions and constructions 8/ 52

  9. [BDJR97] AE Def ined M Enc K ( 0 |  | ) Enc K (  ) C C A Adv ( A ) = Pr[ A Enc K (  )  1 ] - Pr[ A Enc K ( 0 |  | )  1 ] priv P 2. Definitions and constructions 9/ 52

  10. [BR00,KY00;BN00] AE Def ined M Enc K (  ) C A C * Adv ( A ) = Pr[ A Enc K (  )  1 ] - Pr[ A Enc K ( 0 |  | )  1 ] priv P Adv ( A ) = Pr[ A Enc K (  )  C * : no query returned C * and Dec K ( C * )  ^ ] auth P 2. Definitions and constructions 10/ 52

  11. [BN00, KY0] The Strength of AE • Implies IND-CCA2 security • Implies NM-CCA2 security 2. Definitions and constructions 11/ 52

  12. [BN 2000] Generic Composition of an IND-CPA encryption scheme and a PRF M M M Enc K MAC L MAC L Enc K T C Enc K MAC L C C T T Encrypt-and-MAC P MAC-then-Encrypt Encrypt-then-MAC 2. Definitions and constructions 12/ 52

  13. The Cost of Generic Composition M Enc K Cost( AE ) = Cost( Enc ) + Cost( MAC ) MAC L C T Example cases: Enc = CTR, CBC MAC = CMAC, HMAC, PMAC, UMAC  Generic composition can be pretty cheap – if you use a cheap MAC 2. Definitions and constructions 13/ 52

  14. [KY00] RPC Mode M 1 M 2 M 3 M 4 i i+ 1 M 1 M 2 i+ 2 M 3 i+ 3 M 4 i+ 4 i+ 5 start end E K E K E K E K E K E K i C 0 C 1 C 2 C 3 C 4 C 5 2. Definitions and constructions 14/ 52

  15. [Gligor Donescu 2001] XCBC$ Mode Illustration from Gligor-Donescu US Patent 6973182 (2001) 2. Definitions and constructions 15/ 52

  16. [Jutla 2001] IAPM Mode Illustration from [Jutla 2001] 2. Definitions and constructions 16/ 52

  17. OCB Mode (later “OCB1”) [R, Bellare, Black, Krovetz 2001] Like IAPM but highly optimized. Motivated by NIST’s modes call. Z [ i ] = R  g i  L • Arbitrary-length messages Checksum = M [1]    M [ m -1]  C [ m ] 0 *  Y [ m ] • Efficient offset calculations m + 2 blockcipher calls, m =  | M |/ n  • • Single blockcipher key • Cheap key setup (one blockcipher call) 2. Definitions and constructions 17/ 52

  18. Two important players: NIST and IEEE 802.11i • WiFi standard ratified in 1999 Uses WEP security • Fatal attacks soon emerge: - [Fluhrer, Mantin, Shamir 2001] Weaknesses in the key scheduling algorithm of RC4 - [Stubblefield, Ioannidis, Rubin 2001] Using the Fluhrer, Mantin, Shamir attack to break WEP - [Borisov, Goldberg, Wagner 2001] Intercepting mobile communications: the insecurity of 802.11 - [Cam-Winget , Housley, Wagner, Walker 2003] Security flaws in 802.11 data links protocols • WEP  TKIP  WPA  WPA2 - Draft solutions based on OCB - Politics and patent-avoidance: [Whiting, Housley, Ferguson 2002] develop CCM (=CCMP) - CCM standardized for 802.11, then NIST 2. Definitions and constructions 18/ 52

  19. Before describing CCM … Back to the def initional story N N coins C C Dec M Enc M AD or ^ AD K K • Random values routinely aren’t • Many application have an available nonce • Weaker user requirement; less misuse 1) Move the coins “out” and make a “nonce” sufficient [RBBK01] 2) Add in “associated data” [R02] • Requirement from Cam-Winget, Kaliski, Walker • AD is authenticated but not encrypted Failure to provide same AD on decryption results in ^ • 2. Definitions and constructions 19/ 52

  20. (1) Ask for indistinguishability from random bits [RBBK00] Also: AEAD (2) All-in-one definition [R, Shrimpton 2006] N, AD, M Enc K (  ,  ,  ) $ (  ,  ,  ) C C A M ^ ^ (  ,  ,  ) Dec K (  ,  ,  ) N, AD, C Adv ( A ) = Pr[ A EncK DecK  1 ] - Pr[ A $ ^  1 ] aead P A may not: repeat an N -value in an enc query; or ask a dec query ( N, AD, C ) after C is returned by an ( N , AD ,  ) enc query 2. Definitions and constructions 20/ 52

  21. [Whiting, Housley, Ferguson 2002] NIST SP 800-38C CCM Mode RFC 3610, 4309, 5084 Roughly MAC-then-Encrypt 2. Definitions and constructions 21/ 52

  22. Functions F ORMAT and C OUNT where 2. Definitions and constructions 22/ 52

  23. See: [ R 2011 ], “Evaluation of Some [Whiting, Housley, Ferguson 2002] Blockcipher Modes of Operation” (Ch. 11); NIST SP 800-38C:2004 CCM Mode following [R, Wagner 2003] , “A Critique of CCM” RFC 3610, 4309, 5084, 5116 • Provably secure, with OK bounds, if AE if E is a good PRP [Jonsson 2002] • Widely used, standardized (eg, in 802.11) • Simple to implement • Only forward direction of blockcipher used • About 2 m +2 blockcipher calls • Half non-parallelizable • Word alignment disrupted • Can’t preprocess static AD • Not “online” — need to know m in advance • Complex Bit twiddling formatting Absent abstraction boundary • User must specify q  {2,3,4,5,6,7,8} – byte length of byte length of longest message which determines nonce length(!) of t =15 - q 2. Definitions and constructions 23/ 52

  24. [Bellare, R, Wagner 2004] ANSI C12.22, ISO 19772 The issues with CCM aren’t hard to f ix • Generic composition of CTR and CMAC is a good alternative • EAX is a CCM- like mode intended to fix CCM’s problems N M A 1 0 CMAC K CMAC K CTR K  C T 2 CMAC K EAX 2. Definitions and constructions 24/ 52

  25. See: [ R 2011 ], “Evaluation of Some [McGrew, Viega 2004] Blockcipher Modes of Operation”, Ch. 12 (Follows CWC [Kohno, Viega, Whiting 2004] ) NIST SP 800-38D:2007 RFC 4106, 5084, 5116, 5288, 5647 ISO 19772:2009 GCM Mode with 96-bit nonce N 2. Definitions and constructions 25/ 52

  26. GCM Mode [McGrew, Viega 2004] Follows CWC [Kohno, Viega, Whiting 2004] NIST SP 800-38D • Provably secure, with OK bounds for long tags IPsec, TLS, MACsec, P1619.1, TLS • Parallelizable, online ISO 19772:2009 • About m +1 blockcipher calls, all of them parallelizable • Very efficient in HW • Reasonably efficient in SW with AES-NI, PCMULDQ, preprocessing & tables • Static AD can be preprocessed • Only forward direction of blockcipher used First forgery after 2 t / 2 queries • • After, additional forgeries come quickly • Poor bound if truncate tag too much [Ferguson, 2005] (don’t truncate <96 bits) • Not that efficient in SW, even with PCMULDQ support • Timing attacks an issue for table-based realizations (slow setup, too) • Maximum of 2 36 -32 bytes • “Reflected - bit” convention for representing field points unfortunate • | N |  96 case not handled well • Published proof is buggy [Iwata, 2012] 2. Definitions and constructions 26/ 52

  27. OCB3 [RBBK01, R04, KR10] OCB Mode in terms of a tweakable blockcipher [LRW02] = M 1  M 2  M 3  M 4 2. Definitions and constructions 27/ 52

  28. [RBBK01, R04, KR10] OCB Mode in terms of a tweakable blockcipher [LRW02] = M 1  M 2  M 3  M 4 10 * 2. Definitions and constructions 28/ 52

  29. [RBBK01, R04, KR10] OCB Mode in terms of a tweakable blockcipher [LRW02] 2. Definitions and constructions 29/ 52

Recommend

Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated

Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated

Desiderata Current AEAD use Evolution Conclusions Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated Ciphers, 2012 Desiderata Current AEAD use Evolution Conclusions Many desirable attributes

284 views • 26 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago &amp; m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE:

CHAE: Challenges in Authenticated Encryption White paper available: https://chae.cr.yp.to CHAE: Challenges in Authenticated Encryption https://chae.cr.yp.to Contributors to the white paper Jean-Philippe Aumasson David McGrew Steve Babbage

411 views • 4 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Authenticated Encryption! ( Using AES with 128

893 views • 67 slides
Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr

Authenticated Encryption with Variable Stretch Reza Reyhanitabar 1 Serge Vaudenay 2 Damian Vizr 2 1 NEC Laboratories Europe, Germany 2 EPFL, Switzerland DIAC 2016: Directions in Authenticated Ciphers 2016 This work was partially supported by

696 views • 43 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity separately: Goal Primitive Security notion Data privacy symmetric encryption IND-CPA Data authenticity MAC UF-CMA Mihir Bellare UCSD 1

105 views • 9 slides
Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

Introduction to Authenticated Encryption 1 / 27 www.iaik.tugraz.at Interface K K N , A , C ,

On A SCON and I SAP About Two Authenticated Encryption Schemes Christoph Dobraunig October 2018 Designed by: . Mendel, M. Schl A SCON : C. Dobraunig, M. Eichlseder, F affer I SAP : C. Dobraunig, M. Eichlseder, S. Mangard, F . Mendel, T.

987 views • 40 slides
Authenticated Encryption in TLS Same modelling Poor TLS track record &amp; verification

Authenticated Encryption in TLS Same modelling Poor TLS track record &amp; verification

Authenticated Encryption in TLS Same modelling Poor TLS track record &amp; verification approach - Many implementation flaws - Attacks on weak cryptography concrete security: each lossy step (MD5, SHA1, ) documented by a game and a

514 views • 27 slides
On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in (Partially based on joint work with Debrup Chakraborty) Directions

1.01k views • 61 slides
AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity

922 views • 73 slides
Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1

Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1

Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1 , O guzhan Ersoy 2 , Ferhat Karako c 1 1 T 2 Bo UB ITAK-B ILGEM-UEKAE gazi ci University ASIACRYPT 2016, Hanoi, VIETNAM 1/27

860 views • 28 slides
Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

551 views • 26 slides
STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O.

mjos@item.ntnu.no STRIBOB : Authenticated Encryption from GOST R 34.11-2012 LPS or Whirlpool Markku-Juhani O. Saarinen Norwegian University of Science and Technology Directions in Authentication Ciphers '14 24 August 2014, Santa Barbara USA 1

220 views • 19 slides

More recommend