Pipelineable On-Line Encryption (POE)
|
|
- Janice Singleton
- 5 years ago
- Views:
Transcription
1 Pipelineable On-Line Encryption (POE) FSE 2014 Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1 Christian Forler 2 Eik List 2 Stefan Lucks 2 David McGrew 1 Jakob Wenzel 2 1 Cisco Systems, 2 Bauhaus-Universität Weimar March 3, 2014 London, UK
2 Agenda
3 Scenario Section 1 Scenario
4 Scenario Case Study: Optical Transport Network (OTN) Task: secure network traffic
5 Scenario Case Study: Optical Transport Network (OTN) Task: secure network traffic of real-time applications
6 Scenario Case Study: Optical Transport Network (OTN) Task: secure network traffic of real-time applications in an Optical Transport Network (OTN)
7 Scenario Case Study: Optical Transport Network (OTN) Task: secure network traffic of real-time applications in an Optical Transport Network (OTN) High throughput ( Gbit/s) Low latency (few clock cycles) Large message frames (64 KB) (usually consist of multiple TCP/IP or UDP/IP packages)
8 Scenario Case Study: Optical Transport Network (OTN) Task: secure network traffic of real-time applications in an Optical Transport Network (OTN) High throughput ( Gbit/s) Low latency (few clock cycles) Large message frames (64 KB) (usually consist of multiple TCP/IP or UDP/IP packages) Security requirements: Data privacy (IND-CPA), and Data integrity (INT-CTXT)
9 Scenario Case Study: Optical Transport Network (OTN) Task: secure network traffic of real-time applications in an Optical Transport Network (OTN) High throughput ( Gbit/s) Low latency (few clock cycles) Large message frames (64 KB) (usually consist of multiple TCP/IP or UDP/IP packages) Security requirements: Data privacy (IND-CPA), and Data integrity (INT-CTXT) Functional requirements: On-line encryption/decryption
10 Scenario Problem and Workarounds Problem: High Latency of Authenticated Decryption 1 Decryption of the entire message 2 Verification of the authentication tag For 64-kB frames we have 4,096 ciphertext blocks (128 bits) Workarounds: Decrypt-then-mask? [Fouque et al. 03] latency again Pass plaintext beforehand and hope...
11 Scenario Problem and Workarounds Problem: High Latency of Authenticated Decryption 1 Decryption of the entire message 2 Verification of the authentication tag For 64-kB frames we have 4,096 ciphertext blocks (128 bits) Workarounds: Decrypt-then-mask? [Fouque et al. 03] latency again Pass plaintext beforehand and hope... Drawbacks: Plaintext information would leak if authentication tag invalid Literature calls this setting decryption-misuse [Fleischmann, Forler, and Lucks 12]
12 Scenario How Severe is Decryption-Misuse? Puts security at high risk CCA-adversary may inject controlled manipulations Particularly, CTR-mode based encryption schemes
13 Scenario How Severe is Decryption-Misuse? Puts security at high risk CCA-adversary may inject controlled manipulations Particularly, CTR-mode based encryption schemes Decryption-misuse is not covered by existing CCA3-security proofs
14 Scenario Decryption Misuse Resistance Best to wish for: Manipulation of ciphertext block C i completely random plaintext Contradiction to on-line requirement
15 Scenario Decryption Misuse Resistance Best to wish for: Manipulation of ciphertext block C i completely random plaintext Contradiction to on-line requirement What can we achive with an on-line encryption scheme? Manipulation of C i random (M i, M i+1,...) Adversary sees at best common message prefixes
16 Scenario Decryption Misuse Resistance Best to wish for: Manipulation of ciphertext block C i completely random plaintext Contradiction to on-line requirement What can we achive with an on-line encryption scheme? Manipulation of C i random (M i, M i+1,...) Adversary sees at best common message prefixes The security notion of OPERM-CCA covers this behaviour
17 Scenario OPERM-CCA Definition (OPERM-CCA Advantage) Let P be a random on-line permutation, Π = (K, E, D) an encryption scheme, and A be an adversary. Then we have [ Adv OPERM-CCA ] [ ] Π (A) = Pr k $ K () : A E k (.),D k (.) A P(.),P 1 (.)
18 Scenario On-Line Permutation On-Line Permutation (OPerm) Like a PRP with the following property: Plaintexts with common prefix ciphertexts with common prefix (Bellare et al..; Online Ciphers and the Hash-CBC Construction ; CRYPTO 01)
19 Scenario Intermediate (Authentication) Tags Assume an OPERM-CCA secure encryption scheme Recap: Modifying C i = M i, M i+1,..., M M random garbage Redundancy in the plaintext (e.g., checksum)
20 Scenario Intermediate (Authentication) Tags Assume an OPERM-CCA secure encryption scheme Recap: Modifying C i = M i, M i+1,..., M M random garbage Redundancy in the plaintext (e.g., checksum) = intermediate authentication tags
21 Scenario Intermediate (Authentication) Tags Assume an OPERM-CCA secure encryption scheme Recap: Modifying C i = M i, M i+1,..., M M random garbage Redundancy in the plaintext (e.g., checksum) = intermediate authentication tags Common network packets (TCP/IP, UDP/IP) have a checksum = OTN: 16-bit integrity for free (per packet)
22 Scenario Promising Candidate: TC3 TC3 [Rogaway & Zhang 11] is IND-CCA MCOE [Fleischmann et al. 12] is based on TC3
23 Scenario Promising Candidate: TC3 TC3 [Rogaway & Zhang 11] is IND-CCA MCOE [Fleischmann et al. 12] is based on TC3 Why not using TC3?
24 Scenario Promising Candidate: TC3 TC3 [Rogaway & Zhang 11] is IND-CCA MCOE [Fleischmann et al. 12] is based on TC3 Why not using TC3? Inherently sequential
25 Scenario Comparison of Common On-line Encryption Schemes CCAinsecure CCAsecure Sequential ABC, CBC, CFB, HCBC1, IGE, OFB, TC1 APE, CMC, HCBC2, MCBC, MHCBC, TC2/3 Non-Sequential COPE, CTR, ECB, TIE, XTS
26 Scenario Comparison of Common On-line Encryption Schemes CCAinsecure CCAsecure Sequential ABC, CBC, CFB, HCBC1, IGE, OFB, TC1 APE, CMC, HCBC2, MCBC, MHCBC, TC2/3 Non-Sequential COPE, CTR, ECB, TIE, XTS It seems that there is still some place for a new encryption scheme.
27 POE/POET Section 2 POE/POET
28 POE/POET Pipelineable On-Line Encryption (POE) Well pipelineable OPERM-CCA-secure 1 BC + 2 ɛ-axu hash-function (F) calls per block
29 POE/POET Instantiations of the ɛ-axu Hash Function F 4-Round-AES = 18 AES rounds/block ɛ-axu with ɛ [Daemen & Rijmen 98]
30 POE/POET Instantiations of the ɛ-axu Hash Function F 4-Round-AES = 18 AES rounds/block ɛ-axu with ɛ [Daemen & Rijmen 98] GF(2 128 )-multiplication 1 BC call + 2 multiplications with ɛ POE can be parallelized Given p i = K i + K i 1 M K M i 1 + M i Core 1: K p i + M i+1 Core 2: K 2 p i + K M i+1 + M i+2...
31 POE/POET Instantiations of the ɛ-axu Hash Function F 4-Round-AES = 18 AES rounds/block ɛ-axu with ɛ [Daemen & Rijmen 98] GF(2 128 )-multiplication 1 BC call + 2 multiplications with ɛ POE can be parallelized Given p i = K i + K i 1 M K M i 1 + M i Core 1: K p i + M i+1 Core 2: K 2 p i + K M i+1 + M i+2... Increases number of multiplications Decreases latency (O(c) O(log c))
32 POE/POET Key Derivation 3 keys: K for E and K 1, K 2 for F in the top and bottom row K = E L (0), K 1 = E L (1), K 2 = E L (2)
33 POE with Tag (POET) POE/POET Prepends H CCA3-secure Borrows tag-splitting procedure from McOE Robust against nonce- and decryption-misuse
34 Security of POE/POET Section 3 Security of POE/POET
35 Security of POE/POET POET: OCCA3-Security OCCA3 For an adversary A, asking at most q messages, consisting of at most l total blocks, which runs in time at most t, it holds that Adv OCCA3 Π (A) Adv OPERM-CCA (q, l, t) + Adv INT-CTXT (q, l, t). Π Π
36 Security of POE/POET POE: OPERM-CCA-Security A instantly wins if a bad event occurs 1. A can distinguish E from random permutation
37 Security of POE/POET POE: OPERM-CCA-Security A instantly wins if a bad event occurs 1. A can distinguish E from random permutation 2. Collision in top row
38 Security of POE/POET POE: OPERM-CCA-Security A instantly wins if a bad event occurs 1. A can distinguish E from random permutation 2. Collision in top row 3. Collision in bottom row
39 Security of POE/POET POE: OPERM-CCA-Security 1. Assume E is secure: Adv IND-SPRP E,E (l, O(t)) 1
40 Security of POE/POET POE: OPERM-CCA-Security 1. Assume E is secure: Adv IND-SPRP E,E (l, O(t)) 1 2. Collision in top row ɛ l(l 1) 2 ɛ l2 2
41 Security of POE/POET POE: OPERM-CCA-Security 1. Assume E is secure: Adv IND-SPRP E,E (l, O(t)) 1 2. Collision in top row ɛ l(l 1) 2 ɛ l Collision in bottom row (see 2.)
42 Security of POE/POET POET: OPERM-CCA-Security If no bad event occurs we have l 2 2 n l The total probability is given by the sum OPERM-CCA Advantage Adv OPERM-CCA POET (q, l, t) ɛl 2 + l2 2 n l + AdvIND-SPRP E,E (l, O(t)) 1
43 Security of POE/POET Filling the Gap CCAinsecure CCAsecure Sequential ABC, CBC, CFB, HCBC1, IGE, OFB, TC1 APE, CMC, HCBC2, MCBC, MHCBC, TC2/3 Non-Sequential COPE, CTR, ECB, TIE, XTS POE
44 Security of POE/POET POET: INT-CTXT-Security INT-CTXT proof is game-based Combines the ideas from its OPERM-CCA proof and the INT-CTXT proof from McOE Details ( Paper)
45 Security of POE/POET POET: INT-CTXT-Security INT-CTXT Advantage POET (q, l, t) (l+2q) 2 q ɛ+ 2 n (l + 2q) +AdvIND-SPRP E,E (l+2q, O(t)) 1 Adv INT-CTXT
46 Security of POE/POET Conclusion POE: Non-sequential on-line cipher Simple design Support for intermediate tags Provably OPERM-CCA-secure High throughput: non-sequential, on-line Robust against nonce- and decryption-misuse
47 Security of POE/POET Conclusion POE: Non-sequential on-line cipher Simple design Support for intermediate tags Provably OPERM-CCA-secure High throughput: non-sequential, on-line Robust against nonce- and decryption-misuse POET: On-line AE built on POE Security: Provably OCCA3-secure Fulfills the demanding requirements of high-speed networks
48 Security of POE/POET Thank you Questions?
49 Security of POE/POET OPERM-CCA Attack Against COPE (1) Y a = E K (M a 3L) L and Y b = E K (M b 3L) L Query: (M a, M c ); Result: (C a, C (a,c) ) Query: (M b, M c ); Result: (C b, C (b,c) )
50 Security of POE/POET OPERM-CCA Attack Against COPE (2) Y a = E K (M a 3L) L and Y b = E K (M b 3L) L Query: (C a, C (b,c) ); Result: (M a, M (a,bc) ) Query: (C b, C (a,c) ); Result (M b, M (b,ac) ) Y (a,c) = E 1 K (C (a,c) 4L), X (b,ac) = Y (a,c) Y b = X (a,bc) = M (a,bc) = M (b,ac)
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universität Weimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE:
More informationPipelineable On-Line Encryption
Pipelineable On-Line Encryption Farzaneh Abed 1, Scott Fluhrer 2, Christian Forler 1, Eik List 1, Stefan Lucks 1,, David McGrew 2, Jakob Wenzel 1 1 Bauhaus-Universität Weimar, Germany, 2 Cisco Systems,
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationOn Symmetric Encryption with Distinguishable Decryption Failures
On Symmetric Encryption with Distinguishable Decryption Failures Alexandra Boldyreva, Jean Paul Degabriele, Kenny Paterson, and Martijn Stam FSE - 12th Mar 2013 Outline Distinguishable Decryption Failures
More informationBlock ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 74 Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways
More informationBlock cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75
Block cipher modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 75 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 76 Block cipher modes Block ciphers (like
More informationPermutation-based Authenticated Encryption
Permutation-based Authenticated Encryption Gilles Van Assche 1 1 STMicroelectronics COST Training School on Symmetric Cryptography and Blockchain Torremolinos, Spain, February 2018 1 / 44 Outline 1 Why
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationThe OCB Authenticated-Encryption Algorithm
The OCB Authenticated-Encryption Algorithm Ted Krovetz California State University, Sacramento, USA Phillip Rogaway University of California, Davis, USA IETF 83 Paris, France CFRG 11:20-12:20 in 212/213
More informationECE 646 Lecture 8. Modes of operation of block ciphers
ECE 646 Lecture 8 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5 th and 6 th Edition, Chapter 6 Block Cipher Operation II. A. Menezes, P.
More informationAEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iminds 1 AEGIS: A shield carried by Athena and Zeus 2 Different Design Approaches:
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationHow to Use Your Block Cipher? Palash Sarkar
How to Use Your Block Cipher? Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in IACITS New Delhi, 2 nd April 2009 Palash Sarkar (ISI, Kolkata) Using
More informationBlock ciphers, stream ciphers
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationScanned by CamScanner
Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Symmetric-Key Cryptography CS 161: Computer Security
More informationDIAC 2015, Sept, Singapore
π-cipher V2.0 Danilo Gligoroski, ITEM, NTNU, Norway Hristina Mihajloska, FCSE, UKIM, Macedonia Simona Samardjiska, FCSE, UKIM, Macedonia Håkon Jacobsen, ITEM, NTNU, Norway Mohamed El-Hadedy, University
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationAutomated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes
Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes Alex J. Malozemoff University of Maryland Joint work with Matthew Green, Viet Tung Hoang, and Jonathan Katz Presented
More informationBlock Cipher Modes of Operation
Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 23 rd March 2018 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book
More informationSymmetric-Key Cryptography
Symmetric-Key Cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 13, 2016 Announcements Project due Sept 20 Special guests Alice Bob The attacker (Eve - eavesdropper, Malice) Sometimes Chris
More informationThe JAMBU Lightweight Authentication Encryption Mode (v2)
The JAMBU Lightweight Authentication Encryption Mode (v2) 29 Aug, 2015 Designers: Hongjun Wu, Tao Huang Submitters: Hongjun Wu, Tao Huang Contact: wuhongjun@gmail.com Division of Mathematical Sciences
More informationAdvanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50
Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationLecture Note 05 Date:
P.Lafourcade Lecture Note 05 Date: 29.09.2009 Security models 1st Semester 2008/2009 MANGEOT Guillaume ROJAT Antoine THARAUD Jrmie Contents 1 Block Cipher Modes 2 1.1 Electronic Code Block (ECB) [Dwo01]....................
More informationStream Ciphers. Stream Ciphers 1
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generate a pseudo-random key stream & xor to the plaintext. Key: The seed of the PRNG Traditional PRNGs (e.g. those used for simulations) are not secure.
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationHow to Securely Release Unverified Plaintext in Authenticated Encryption
How to Securely Release Unverified Plaintext in Authenticated Encryption Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Nicky Mouha 1,2, and an Yasuda 1,4 1 epartment of Electrical
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationA Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004
A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security T. Shrimpton October 18, 2004 Abstract In this note we introduce a variation of the standard definition of chosen-ciphertext
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions
ENEE 457: Computer Systems Security 09/12/16 Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions Charalampos (Babis) Papamanthou Department of Electrical and Computer
More informationCLOC: Authenticated Encryption
CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation Jian Guo, Nanyang Technological University Sumio Morioka, NEC Europe Ltd. FSE 2014 March
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationAutomated Analysis and Synthesis of Block-Cipher Modes of Operation
Automated Analysis and Synthesis of Block-Cipher Modes of Operation Alex J. Malozemoff 1 Jonathan Katz 1 Matthew D. Green 2 1 University of Maryland 2 Johns Hopkins University Presented at the IEEE Computer
More informationBlock Cipher Operation. CS 6313 Fall ASU
Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 8 2018 Review CPA-secure construction Security proof by reduction
More informationECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #7 Analysis of DES and the AES Standard Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we analyze the security properties of DES and
More informationDaniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
Goals of authenticated encryption Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven More details, credits: competitions.cr.yp.to /features.html Encryption sender
More informationParallelizable and Authenticated Online Ciphers
Parallelizable and Authenticated Online Ciphers lena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, lmar Tischhauser 1,2, and Kan Yasuda 1,4 1 Department of lectrical ngineering, SAT/COSIC,
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationCourse Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18
Course Map Key Establishment Authenticated Encryption Key Management COMP 7/8120 Cryptography and Data Security Lecture 8: How to use Block Cipher - many time key Stream Ciphers Block Ciphers Secret Key
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationBlock Cipher Modes of Operation
Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 24th March 2016 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationABC - A New Framework for Block Ciphers. Uri Avraham
ABC - A New Framework for Block Ciphers Uri Avraham ABC - A New Framework for Block Ciphers Research Thesis Submitted in partial fulfillment of the requirements for the degree of Master of Science in
More informationSymmetric Crypto MAC. Pierre-Alain Fouque
Symmetric Crypto MAC Pierre-Alain Fouque Message Authentication Code (MAC) Warning: Encryption does not provide integrity Eg: CTR mode ensures confidentiality if the blockcipher used is secure. However,
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationAEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2015 AEGIS 1
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iminds 1 AEGIS: A shield carried by Athena and Zeus 2 Different Design Approaches:
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationStorage Encryption: A Cryptographer s View. Shai Halevi IBM Research
Storage Encryption: A Cryptographer s View Shai Halevi IBM Research Motivation You re working on storage encryption? It must be the most boring thing in the world Anonymous Encryption is the most basic
More informationContent of this part
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 5 More About Block Ciphers Israel Koren ECE597/697 Koren Part.5.1 Content of this
More informationMultiple forgery attacks against Message Authentication Codes
Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationPermutation-based symmetric cryptography
Permutation-based symmetric cryptography Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March
More informationSome Aspects of Block Ciphers
Some Aspects of Block Ciphers Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in CU-ISI Tutorial Workshop on Cryptology, 17 th July 2011 Palash Sarkar
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcements Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationConcrete Security of Symmetric-Key Encryption
Concrete Security of Symmetric-Key Encryption Breno de Medeiros Department of Computer Science Florida State University Concrete Security of Symmetric-Key Encryption p.1 Security of Encryption The gold
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationPractical Symmetric On-line Encryption
Practical Symmetric On-line Encryption Pierre-Alain Fouque, Gwenaëlle Martinet, and Guillaume Poupard DCSSI Crypto Lab 51 Boulevard de La Tour-Maubourg 75700 Paris 07 SP, France Pierre-Alain.Fouque@ens.fr
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationProvably Secure MACs from Differentially-uniform Permutations and AES-based Implementations
Provably Secure MACs from Differentially-uniform Permutations and AES-based Implementations Kazuhiko Minematsu and Yukiyasu Tsunoo NEC Corporation Fast Software Encryption 2006, Graz, Austria Message Authentication
More informationCS 495 Cryptography Lecture 6
CS 495 Cryptography Lecture 6 Dr. Mohammad Nabil Alaggan malaggan@fci.helwan.edu.eg Helwan University Faculty of Computers and Information CS 495 Fall 2014 http://piazza.com/fci_helwan_university/fall2014/cs495
More informationIntroduction to cryptology (GBIN8U16)
Introduction to cryptology (GBIN8U16) Finite fields, block ciphers Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 01 31 Finite fields,
More informationCIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)
CIS 6930/4930 Computer and Network Security Topic 3.1 Secret Key Cryptography (Cont d) 1 Principles for S-Box Design S-box is the only non-linear part of DES Each row in the S-Box table should be a permutation
More informationHow to Securely Release Unverified Plaintext in Authenticated Encryption
How to Securely Release Unverified Plaintext in Authenticated Encryption Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Nicky Mouha 1,2, and an Yasuda 1,4 1 Department of Electrical
More informationConcrete cryptographic security in F*
Concrete cryptographic security in F* crypto hash (SHA3) INT-CMA encrypt then-mac Auth. encryption Secure RPC some some some adversary attack attack symmetric encryption (AES). IND-CMA, CCA2 secure channels
More informationAccredited Standards Committee X9, Incorporated
Accredited Standards Committee X9, Incorporated The following document contains excerpts from draft standard of the Accredited Standards Committee, X9, Inc. (ASC X9) entitled ANS X9.102- Wrapping of Keys
More informationRefining Computationally Sound Mech. Proofs for Kerberos
Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR,
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers Ruben Niederhagen September 18th, 2013 Introduction 2/22 Recall from last lecture: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationUpdates on CLOC and SILC
Updates on CLOC and SILC Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi DIAC 2015 September 28, 2015, Singapore * Supported in part by JSPS KAKENHI, Grant in Aid for Scientific
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationComb to Pipeline: Fast Software Encryption Revisited
Comb to Pipeline: Fast Software Encryption Revisited Andrey Bogdanov, Martin M. Lauridsen, and Elmar Tischhauser DTU Compute, Technical University of Denmark, Denmark {anbog,mmeh,ewti}@dtu.dk Abstract.
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More informationLecture Note 05 Date:
P.Lafourcade Lecture Note 05 Date: 11.10.2010 Security models: Symmetric Encryption 1st Semester 2010/2011 Cailler Alexandre Masson Florian Contents 1 Block Cipher Modes 3 1.1 Electronic CodeBook (ECB)
More informationOCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain
OCB Mode Phillip Rogaway Department of Computer Science UC Davis + Chiang Mai Univ rogaway@cs.ucdavis.edu http://www.cs.ucdavis.edu/~rogaway +66 1 530 7620 +1 530 753 0987 Mihir Bellare UCSD mihir@cs.ucsd.edu
More informationThe Extended Codebook (XCB) Mode of Operation
The Extended Codebook (XCB) Mode of Operation David A. McGrew and Scott Fluhrer Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95032 {mcgrew,sfluhrer}@cisco.com October 25, 2004 Abstract We describe
More informationAuthenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol
Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol Mihir Bellare UC San Diego mihir@cs.ucsd.edu Tadayoshi Kohno UC San Diego tkohno@cs.ucsd.edu Chanathip Namprempre Thammasat
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography! Is n A tremendous tool n The basis for many security mechanisms! Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationA Surfeit of SSH Cipher Suites
A Surfeit of SSH Cipher Suites Jean Paul Degabriele Information Security Group www.isg.rhul.ac.uk/~psai074 Based in part on slides by Kenny Paterson Outline of this talk Overview of SSH and related work
More informationSymmetric Encryption. Thierry Sans
Symmetric Encryption Thierry Sans Design principles (reminder) 1. Kerkoff Principle The security of a cryptosystem must not rely on keeping the algorithm secret 2. Diffusion Mixing-up symbols 3. Confusion
More informationWCFB: a tweakable wide block cipher
WCFB: a tweakable wide block cipher Andrey Jivsov 1 Abstract. We define a model for applications that process large data sets in a way that enables additional optimizations of encryption operations. We
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationLecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 5 Portland State University Jan. 23, 2018 Lecturer: Fang Song Draft note. Version: January 25, 2018. Email fang.song@pdx.edu for comments and
More informationOAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea
OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding Duong Hieu Phan ENS France David Pointcheval CNRS-ENS France Asiacrypt '04 Jeju Island - Korea December 6 th 2004 Summary Asymmetric Encryption
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationDistinguisher and Related-Key Attack on the Full AES-256
Distinguisher and Related-Key Attack on the Full AES-256 Alex Biryukov, Dmitry Khovratovich, Ivica Nikolić University of Luxembourg {alex.biryukov, dmitry.khovratovich, ivica.nikolic@uni.lu} Abstract.
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More information