Blockcipher-based Authentcated Encryption: How Small Can We Go? CHES 2017, Taipei, Taiwan
|
|
- Ferdinand Bradford
- 6 years ago
- Views:
Transcription
1 Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata (Nagoya University, Japan) Kazuhiko Minematsu (NEC Corporation, Japan) Mridul Nandi (Indian Statistical Institute, India) CHES 2017, Taipei, Taiwan September, 2017 COFB 1
2 1 Introduction COFB 2
3 Authenticated Encryption (AE) Figure: Data Transmission (Taken from [3]) A symmetric encryption scheme AE =(K, E, D) E : K M N A!C D : K C N A! M [ {?} C set of tagged ciphertexts?: special symbol to denote reject Goal Primitive Security Privacy Symmetric Encryption IND-CCA/CPA Integrity MAC UF-CMA COFB 3
4 Authenticated Encryption (AE) Input M, A, N, K Output C K -Keyspace,M - Message space, N - Nonce space, A -AssociatedDataspace,C -Ciphertext space Nonce Arbitrary number used only once for each encryption Useful as initialization vectors. Example: Counter Associated Data Header of the Message (not encrypted but authenticated) Example: IP Address COFB 4
5 Authenticated Encryption (AE) Why AE? In practice both privacy and authenticity are desirable Example taken from [3]: A doctor wishes to send medical information about Alice to the medical database. Then We want data privacy to ensure Alice s medical records remain confidential We wantintegrity to ensure the person sending the information is really the doctor and the information was not modified in transit We refer to this as authenticated encryption COFB 5
6 Security of Authenticated Encryption [4] Privacy We want IND-CPA Integrity Adversary s goal: Receiver accepts a forged tuple ((C, T ), N, A) INT-CTXT: Any forged tuple is rejected with high probability Goal - IND-CPA + INT-CTXT COFB 6
7 Unified AE Security Adversary A runs in time t A makes q enc queries ( enc blocks) q f forge queries ( f forge blocks) Adv AE E (A) = A((E K, D K ); ($,?)) $returnsarandom string from the range set of E K? oracle always returns? Adv AE E ((q, q f ), (, f ), t) =max A Adv AE E (A) COFB 7
8 Construction of AE Scheme Several Ways of Designing AE Blockcipher(BC) based, Streamcipher(SC) based, Permutation based etc. We consider BC based AE BC Based AE Sequential nonce-based AE: CLOC, SILC Parallel on-line AE: ELmD, COPA, COLM Parallel nonce-based AE: OCB, OTR Our target: Sequential nonce-based AE Need to design Feedback function COFB 8
9 Possible Options for Feedback Message Feedback Current M[i] isthefeedbackx [i] forthenextbccall Ciphertext Feedback Current C[i] isthefeedbackx [i] Output Feedback Previous BC output Y [i 1] is the feedback X [i] We Use Combined Feedback First 3 can not fullfill our needs (small state rate-1 AE) X [i] can not be computed by exactly one of M[i], C[i], Y [i 1] COFB 9
10 Di erent Feedback Modes and COFB (Combined Feedback) Mode X[i 1] M[i] X[i 1] X[i 1] X[i 1] R R R X[i] X[i] M[i] X[i] M[i] M[i] R G X[i] C[i] C[i] C[i] Message feedback Ciphertext feedback Output feedback C[i] Combined feedback COFB 10
11 Design of COFB AE Security Bounds Properties 1 Introduction 2 Design of COFB AE Security Bounds Properties COFB 11
12 Goal of This Design Design of COFB AE Security Bounds Properties Lightweight AE mode Use low storage Standard security bound (close to the birthday bound on block size) Security proof in the standard model Smaller hardware area than the existing ones Very low number of gates other than the BC COFB 12
13 Design Rationale and Challenges Design of COFB AE Security Bounds Properties COFB: Uses Combined Feedback It needs n bits for storing the BC state It needs k bits for storing the BC key It needs n/2 bitsmoreformasking Each BC input is masked in a similar manner to XEX [7] TBC But here mask is only n/2 bits instead of n Su cient for standard security bound: thanks to our feedback function COFB 13
14 Design of COFB AE Security Bounds Properties Benchmarking in Terms of State Size Rate: Data block/bc calls Scheme State Size Rate Security Proof COFB 1.5n + k 1 Yes 1 JAMBU [9] 1.5n + k 2 Yes (Integrity only) 1 CLOC/ SILC [5, 6] 2n + k 2 Yes ifeed [10] 3n + k 1 Yes (Was Wrong)(attack in [8]) OCB [7] 3n + k 1 Yes 1 COLM [2] 3n + k 2 Yes COFB 14
15 COFB AE Mode Design of COFB AE Security Bounds Properties = E K (N) [n/4+1..3n/4] mask (a, b) = a (1 + ) b (Tweak fn described later) 1 (y, A) :=G y A (y, M) =( 1 (y, M), y M) G: Fullrankmatrix6= I (, 1 described later) For B = A/M If B 6= ^ ndivides B Then B =1 Else B =2 mask (1, 0) mask (2, 0) mask (2, A) 0 n/2 N Z[1] Z[2] Z[3] X[1] X[2] X[3] EK EK EK EK Y [0] Y [1] Y [2] A[1] 1 A[2] 1 A[3] 1 Y [3] mask (3, A) mask (4, A) mask (4, A + M ) X [1] X [2] X [3] X[4] X[5] X[6] Y [3] EK EK EK Y [4] Y [5] Y [6] M[1] 1 M[2] M[3] T C[1] C[2] C[3] COFB 15
16 Design of COFB AE Security Bounds Properties Instantiation of COFB AE Mode : COFB-AES Underlying BC We use AES-128 as the underlying BC n = 128 Mask Function mask - mask is a simple tweak update function 1 and Functions 1 and Functions - Simple linear feedback functions Last block has a di erent tweak COFB 16
17 Tweak Function Design of COFB AE Security Bounds Properties - 64-bit value derived from encryption of nonce Standard size is 128 bits but 64 bits are su cient Computed/updated by mask (a, b) = a (1 + ) b. - primitive element of F 2 64 This idea has been taken from XEX [7] (but masked length is halved) (a, b) 2 [0..L] [0..4], L be the message length in blocks COFB 17
18 Design of COFB AE Security Bounds Properties Linear Feedback Functions 1 and 1 (y, M) :=G y M and (y, M) =( 1 (y, M), y M) G :(y 1, y 2, y 3, y 4 )! (y 2, y 3, y 4, y 4 y 1 ) I 0 0 G n n = B0 0 I IA I 0 0 I COFB 18
19 Security Level for COFB-AES Design of COFB AE Security Bounds Properties Security Bound for Privacy Nonce-respecting adversary Almost Birthday Bound of 64 bits for Privacy Security Bound for Authenticity Nonce-respecting adversary Almost Birthday Bound of 64 bits for Authenticity COFB mode is secure upto O( 2n/2 n ) queries (almost birthday bound with block size n) COFB 19
20 Important Features of COFB AE Design of COFB AE Security Bounds Properties Advantages Rate =1 Very low state size of 1.5n + k (n: state size, k: keysize) Very flexible mode (any BC can be used) inverse-free Simple linear feedback Very lightweight and consumes low hardware area Limitations Both the encryption and decryption are completely serial COFB 20
21 1 Introduction COFB 21
22 Cycles per Byte Performance of COFB-AES Message length (Bytes) Algorithm COFB-AES ablockad,mblockm cycle count = (a+m) + 11 In this calculation, we assume a = m cpb = cycle count len len is length of M in bytes COFB 22
23 Cycles per Byte Performance of COFB-AES " cpb Message Length! COFB 23
24 COFB-AES Base Architecture AD/M N State chop Key AES r tweak T C COFB 24
25 COFB-AES Base Architecture Properties Serial processing of data Round-based architecture of AES Processes 128 bits per 12 clock cycles Uses very low storage registers Minimum hardware area among all the known implementations No pipelined register COFB 25
26 FSM for COFB-AES Base Architecture Start Reset St Load St AES Reset St AES Module FSM End St AES Start St Release Tag St If Final Block AES Round St Roundctr< 10 Compute Add Mask St Else, EOM, iscomplete AES Done St Roundctr= 10 COFB 26
27 COFB-AES FPGA Implementation Informations VHDL, Platform - Virtex 6, 7 Under Xilinx 13.4 Not compatible with GMU s ATHENa interface [1] Base Implementation Results Platform #Slice Frequency Mbps/ Mbps/ #LUTs #Slices Gbps Registers (MHZ) LUT Slice Virtex Virtex COFB 27
28 Benchmarking of COFB-AES on Virtex 6 Scheme #LUT #Slices Gbps Mbps / LUT Mbps / Slices ACORN (SC Based) PRIMATES-HANUMAN (Sponge) COFB-AES JAMBU-SIMON (BC Based) Ketje (Sponge) ASCON (Sponge) Joltik (TBC Based) JAMBU-AES (BC Based) SCREAM (TBC Based) NORX (Sponge) TriviA-ck (SC Based) Minalpher (BC Based) SILC (BC Based) DEOXYS (TBC Based) CLOC (BC Based) AES-GCM (BC Based) OCB (BC Based) ELmD (BC Based) AEZ (BC Based) AES-OTR (BC Based) Tiaoxin (BC Based) AEGIS (BC Based) AES-COPA (BC Based) COFB 28
29 1 Introduction COFB 29
30 Conclusion COFB : BC based AE Secure up to O(2 n/2 /n) queries Low area AE and can be used in low resource embedded devices COFB 30
31 1 Introduction COFB 31
32 ATHENa: Automated Tool for Hardware Evaluation. Elena Andreeva, Andrey Bogdanov, Nilanjan Datta, Atul Luykx, Bart Mennink, Mridul Nandi, Elmar Tischhauser, and Kan Yasuda. COLM v1. CAESAR Competition. Mihir Bellare. AUTHENTICATED ENCRYPTION. Mihir Bellare and Chanathip Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. COFB 31
33 In Advances in Cryptology - ASIACRYPT 2000, 6th International Conference on the Theory and Application of Cryptology and Information Security, Kyoto, Japan, December 3-7, 2000, Proceedings, pages , Tetsu Iwata, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi. CAESAR Candidate CLOC. DIAC Tetsu Iwata, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi. CAESAR Candidate SILC. DIAC Phillip Rogaway. E cient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. COFB 31
34 In ASIACRYPT, pages 16 31, Willem Schroé, Bart Mennink, Elena Andreeva, and Bart Preneel. Forgery and subkey recovery on CAESAR candidate ifeed. In Selected Areas in Cryptography - SAC nd International Conference, Sackville, NB, Canada, August 12-14, 2015, Revised Selected Papers, pages , Hongjun Wu and Tao Huang. The JAMBU Lightweight Authentication Encryption Mode (v2). CAESAR Competition. Liting Zhang, Wenling Wu, Han Sui, and Peng Wang. ifeed[aes] v1. CAESAR Competition. COFB 32
35 Thank you COFB 32
Updates on CLOC and SILC Version 3
Updates on CLOC and SILC Version 3 Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi DIAC 2016 September 26, 2016, Nagoya, Japan * Supported in part by JSPS KAKENHI, Grant in
More informationUpdates on CLOC and SILC
Updates on CLOC and SILC Tetsu Iwata*, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi DIAC 2015 September 28, 2015, Singapore * Supported in part by JSPS KAKENHI, Grant in Aid for Scientific
More informationAEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2016 AEGIS 1
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iminds DIAC 2016 AEGIS 1 AEGIS: A shield carried by Athena and Zeus DIAC 2016 AEGIS
More informationASCON: A Submission to CAESAR Ch. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer Graz University of Technology CECC 2015
S C I E N C E P A S S I O N T E C H N O L O G Y ASCON: A Submission to CAESAR Graz University of Technology www.iaik.tugraz.at The Team Christoph Dobraunig Maria Eichlseder Florian Mendel Martin Schläffer
More informationOptimization of Hardware Implementations with High-Level Synthesis of Authenticated Encryption
Bulletin of Networking, Computing, Systems, and Software www.bncss.org, ISSN 2186 5140 Volume 5, Number 1, pages 26 33, January 2016 Optimization of Hardware Implementations with High-Level Synthesis of
More informationCLOC: Authenticated Encryption
CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation Jian Guo, Nanyang Technological University Sumio Morioka, NEC Europe Ltd. FSE 2014 March
More informationOn authenticated encryption and the CAESAR competition
On authenticated encryption and the CAESAR competition Joan Daemen STMicroelectronics and Radboud University Crypto summer school 2015 Šibenik, Croatia, May 31 - June 5, 2015 1 / 39 What is authenticated
More informationThe JAMBU Lightweight Authentication Encryption Mode (v2)
The JAMBU Lightweight Authentication Encryption Mode (v2) 29 Aug, 2015 Designers: Hongjun Wu, Tao Huang Submitters: Hongjun Wu, Tao Huang Contact: wuhongjun@gmail.com Division of Mathematical Sciences
More informationSoftware Benchmarking of the 2 nd round CAESAR Candidates
Software Benchmarking of the 2 nd round CAESAR Candidates Ralph Ankele 1, Robin Ankele 2 1 Royal Holloway, University of London, UK 2 University of Oxford, UK October 20, 2016 SPEED-B, Utrecht, The Netherlands
More informationBenchmarking of Round 2 CAESAR Candidates in Hardware: Methodology, Designs & Results
Benchmarking of Round 2 CAESAR Candidates in Hardware: Methodology, Designs & Results Ekawat Homsirikamol, Panasayya Yalla, Ahmed Ferozpuri, William Diehl, Farnoud Farahmand, Michael X. Lyons, and Kris
More informationAPE: Authenticated Permutation-Based Encryption for Lightweight Cryptography
APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography Elena Andreeva, Begül Bilgin, Andrey Bogdanov, Atul Luykx, Bart Mennink, Nicky Mouha, Kan Yasuda KU Leuven, UTwente, DTU, NTT
More informationDIAC 2015, Sept, Singapore
π-cipher V2.0 Danilo Gligoroski, ITEM, NTNU, Norway Hristina Mihajloska, FCSE, UKIM, Macedonia Simona Samardjiska, FCSE, UKIM, Macedonia Håkon Jacobsen, ITEM, NTNU, Norway Mohamed El-Hadedy, University
More informationCLOC, SILC and OTR. Kazuhiko Minematsu (NEC Corporation) Recent Advances in Authenticated Encryption 2016 Kolkata, India
CLOC, SILC and OTR Kazuhiko Minematsu (NEC Corporation) Recent Advances in Authenticated Encryption 2016 Kolkata, India 1 Outline Describe AE schemes, CLOC, SILC and OTR Merged as CLOC and SILC for CAESAR
More informationAEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2015 AEGIS 1
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iminds 1 AEGIS: A shield carried by Athena and Zeus 2 Different Design Approaches:
More informationAEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iminds 1 AEGIS: A shield carried by Athena and Zeus 2 Different Design Approaches:
More informationImplementation and Analysis of the PRIMATEs Family of Authenticated Ciphers
Implementation and Analysis of the PRIMATEs Family of Authenticated Ciphers Ahmed Ferozpuri Abstract Lightweight devices used for encrypted communication require a scheme that can operate in a low resource
More informationAutomated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes
Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes Alex J. Malozemoff University of Maryland Joint work with Matthew Green, Viet Tung Hoang, and Jonathan Katz Presented
More informationEkawat Homsirikamol, William Diehl, Ahmed Ferozpuri, Farnoud Farahmand, Michael X. Lyons, Panasayya Yalla, and Kris Gaj George Mason University USA
Toward Fair and Comprehensive Benchmarking of CAESAR Candidates in Hardware: Standard API, High-Speed ImplementaCons in VHDL/Verilog, and Benchmarking Using FPGAs Ekawat Homsirikamol, William Diehl, Ahmed
More informationBenchmarking of Round 3 CAESAR Candidates in Hardware: Methodology, Designs & Results
Benchmarking of Round 3 CAESAR Candidates in Hardware: Methodology, Designs & Results Ekawat Homsirikamol, Farnoud Farahmand, William Diehl, and Kris Gaj George Mason University USA http://cryptography.gmu.edu
More informationC vs. VHDL: Benchmarking CAESAR Candidates Using High- Level Synthesis and Register- Transfer Level Methodologies
C vs. VHDL: Benchmarking CAESAR Candidates Using High- Level Synthesis and Register- Transfer Level Methodologies Ekawat Homsirikamol, William Diehl, Ahmed Ferozpuri, Farnoud Farahmand, and Kris Gaj George
More informationMcOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes Ewan Fleischmann Christian Forler Stefan Lucks Bauhaus-Universität Weimar FSE 2012 Fleischmann, Forler, Lucks. FSE 2012. McOE:
More informationThe OCB Authenticated-Encryption Algorithm
The OCB Authenticated-Encryption Algorithm Ted Krovetz California State University, Sacramento, USA Phillip Rogaway University of California, Davis, USA IETF 83 Paris, France CFRG 11:20-12:20 in 212/213
More informationSymmetric Cryptography 2016
Symmetric Cryptography 2016 Monday, January 11 7:30 Session Chair: Frederik Armknecht Dynamic Cube Attacks Revisited, with Applications to Grain128a Another View of the Division Property Invariant Subspace
More informationPermutation-based Authenticated Encryption
Permutation-based Authenticated Encryption Gilles Van Assche 1 1 STMicroelectronics COST Training School on Symmetric Cryptography and Blockchain Torremolinos, Spain, February 2018 1 / 44 Outline 1 Why
More informationA Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004
A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security T. Shrimpton October 18, 2004 Abstract In this note we introduce a variation of the standard definition of chosen-ciphertext
More informationHow to Securely Release Unverified Plaintext in Authenticated Encryption
How to Securely Release Unverified Plaintext in Authenticated Encryption Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Nicky Mouha 1,2, and an Yasuda 1,4 1 epartment of Electrical
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationEnergy Evaluation of AES based Authenticated Encryption Algorithms (Online + NMR)
Energy Evaluation of AES based Authenticated Encryption Algorithms (Online + NMR) Subhadeep Banik 1, Andrey Bogdanov 1, Francesco Regazzoni 2 1 DTU Compute, Technical University of Denmark, Lyngby 2 ALARI,
More informationHow to Use Your Block Cipher? Palash Sarkar
How to Use Your Block Cipher? Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in IACITS New Delhi, 2 nd April 2009 Palash Sarkar (ISI, Kolkata) Using
More informationLooting the LUTs : FPGA Optimization of AES and AES-like Ciphers for Authenticated Encryption
Looting the LUTs : FPGA Optimization of AES and AES-like Ciphers for Authenticated Encryption Mustafa Khairallah 1, Anupam Chattopadhyay 1,2, and Thomas Peyrin 1,2 1 School of Physical and Mathematical
More informationDeoxys v1.41. Designers/Submitters: School of Physical and Mathematical Science, Nanyang Technological University, Singapore
Deoxys v1.41 Designers/Submitters: Jérémy Jean 1,2, Ivica Nikolić 2, Thomas Peyrin 2, Yannick Seurin 1 1 ANSSI, Paris, France 2 Division of Mathematical Sciences, School of Physical and Mathematical Science,
More informationToward a New Methodology for Hardware Benchmarking of Candidates in Cryptographic Competitions: The CAESAR Contest Case Study
Toward a New Methodology for Hardware Benchmarking of Candidates in Cryptographic Competitions: The CAESAR Contest Case Study Ekawat Homsirikamol and Kris Gaj George Mason University, U.S.A. Fairfax, Virginia
More informationSymmetric Crypto MAC. Pierre-Alain Fouque
Symmetric Crypto MAC Pierre-Alain Fouque Message Authentication Code (MAC) Warning: Encryption does not provide integrity Eg: CTR mode ensures confidentiality if the blockcipher used is secure. However,
More informationMultiple forgery attacks against Message Authentication Codes
Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes
More informationComb to Pipeline: Fast Software Encryption Revisited
Comb to Pipeline: Fast Software Encryption Revisited Andrey Bogdanov, Martin M. Lauridsen, and Elmar Tischhauser DTU Compute, Technical University of Denmark, Denmark {anbog,mmeh,ewti}@dtu.dk Abstract.
More informationPipelineable On-Line Encryption (POE)
Pipelineable On-Line Encryption (POE) FSE 2014 Farzaneh Abed 2 Scott Fluhrer 1 John Foley 1 Christian Forler 2 Eik List 2 Stefan Lucks 2 David McGrew 1 Jakob Wenzel 2 1 Cisco Systems, 2 Bauhaus-Universität
More informationPipelineable On-Line Encryption
Pipelineable On-Line Encryption Farzaneh Abed 1, Scott Fluhrer 2, Christian Forler 1, Eik List 1, Stefan Lucks 1,, David McGrew 2, Jakob Wenzel 1 1 Bauhaus-Universität Weimar, Germany, 2 Cisco Systems,
More informationOCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain
OCB Mode Phillip Rogaway Department of Computer Science UC Davis + Chiang Mai Univ rogaway@cs.ucdavis.edu http://www.cs.ucdavis.edu/~rogaway +66 1 530 7620 +1 530 753 0987 Mihir Bellare UCSD mihir@cs.ucsd.edu
More informationHow to Securely Release Unverified Plaintext in Authenticated Encryption
How to Securely Release Unverified Plaintext in Authenticated Encryption Elena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, Nicky Mouha 1,2, and an Yasuda 1,4 1 Department of Electrical
More informationIntroduction to cryptology (GBIN8U16)
Introduction to cryptology (GBIN8U16) Finite fields, block ciphers Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 01 31 Finite fields,
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationStatistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes Christoph Dobraunig 1, Maria Eichlseder 1, Thomas Korak 1, Victor Lomné 2, and Florian Mendel 1 1 Graz University of Technology,
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationFeedback Week 4 - Problem Set
4/26/13 Homework Feedback Introduction to Cryptography Feedback Week 4 - Problem Set You submitted this homework on Mon 17 Dec 2012 11:40 PM GMT +0000. You got a score of 10.00 out of 10.00. Question 1
More informationParallelizable and Authenticated Online Ciphers
Parallelizable and Authenticated Online Ciphers lena Andreeva 1,2, Andrey Bogdanov 3, Atul Luykx 1,2, Bart Mennink 1,2, lmar Tischhauser 1,2, and Kan Yasuda 1,4 1 Department of lectrical ngineering, SAT/COSIC,
More informationOCB3 Block Specification
OCB3 Block Specification Version 1.0.07.04.2010 By Tariq Bashir Ahmad Supervisors: Guy Hutchison Professor Phillip Rogaway 1 1 Introduction and Overview OCB3 (Offset Code Book 3) is an authenticated encryption
More informationPrøst v1.1. Designers/Submitters. Elif Bilge Kavun 1 Martin M. Lauridsen 2 Gregor Leander 1 Christian Rechberger 2 Peter Schwabe 3.
Prøst v1.1 Designers/Submitters Elif Bilge Kavun 1 Martin M. Lauridsen 2 Gregor Leander 1 Christian Rechberger 2 Peter Schwabe 3 Tolga Yalçın 4 Affiliations 1 Horst Görtz Institute for IT-Security, Ruhr
More informationOn Symmetric Encryption with Distinguishable Decryption Failures
On Symmetric Encryption with Distinguishable Decryption Failures Alexandra Boldyreva, Jean Paul Degabriele, Kenny Paterson, and Martijn Stam FSE - 12th Mar 2013 Outline Distinguishable Decryption Failures
More informationAuthenticated Encryption: How Reordering can Impact Performance
Authenticated Encryption: How Reordering can Impact Performance Basel Alomair Network Security Lab (NSL) University of Washington alomair@uw.edu Abstract. In this work, we look at authenticated encryption
More informationAuthenticated Encryption: Relations among notions and analysis of the generic composition paradigm
Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm Mihir Bellare Chanathip Namprempre July 14, 2007 Abstract An authenticated encryption scheme is a symmetric
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationBlock ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 74 Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways
More informationLecture 9 Authenticated Encryption
Lecture 9 Authenticated Encryption COSC260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We have previously studied the goals of privacy and authenticity
More informationStateful Key Encapsulation Mechanism
Stateful Key Encapsulation Mechanism Peng Yang, 1 Rui Zhang, 2 Kanta Matsuura 1 and Hideki Imai 2 The concept of stateful encryption was introduced to reduce computation cost of conventional public key
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationECE 646 Lecture 8. Modes of operation of block ciphers
ECE 646 Lecture 8 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5 th and 6 th Edition, Chapter 6 Block Cipher Operation II. A. Menezes, P.
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationComb to Pipeline: Fast Software Encryption Revisited
Comb to Pipeline: Fast Software Encryption Revisited Andrey Bogdanov (B), Martin M. Lauridsen, and Elmar Tischhauser DTU Compute, Technical University of Denmark, Kgs. Lyngby, Denmark {anbog,mmeh,ewti}@dtu.dk
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationThe Extended Codebook (XCB) Mode of Operation
The Extended Codebook (XCB) Mode of Operation David A. McGrew and Scott Fluhrer Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95032 {mcgrew,sfluhrer}@cisco.com October 25, 2004 Abstract We describe
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationCourse Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18
Course Map Key Establishment Authenticated Encryption Key Management COMP 7/8120 Cryptography and Data Security Lecture 8: How to use Block Cipher - many time key Stream Ciphers Block Ciphers Secret Key
More informationAuthenticated Encryption
18733: Applied Cryptography Anupam Datta (CMU) Authenticated Encryption Online Cryptography Course Authenticated Encryption Active attacks on CPA-secure encryption Recap: the story so far Confidentiality:
More informationLecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 8 Message Authentication COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We now have two lower-level primitives in our tool bag: blockciphers
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcements Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n n A tremendous tool The basis for many security mechanisms Is not n n n n The solution to all security problems Reliable unless implemented properly Reliable
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationCRYPTREC Cryptographic Technology Guideline (Lightweight Cryptography)
CRYPTREC Cryptographic Technology Guideline (Lightweight Cryptography) CRYPTREC Lightweight Cryptography Working Group March 2017 CRYPTREC Lightweight Cryptography WG Members WG Chair Naofumi Homma Tohoku
More informationAES as A Stream Cipher
> AES as A Stream Cipher < AES as A Stream Cipher Bin ZHOU, Kris Gaj, Department of ECE, George Mason University Abstract This paper presents implementation of advanced encryption standard (AES) as a stream
More informationAscon v1.2. Submission to the CAESAR Competition. Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer
Ascon v1.2 Submission to the CAESAR Competition Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer Institute for Applied Information Processing and Communications Graz University of
More informationBlock cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75
Block cipher modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 75 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 76 Block cipher modes Block ciphers (like
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationAEZ v1: Authenticated-Encryption by Enciphering
: Authenticated-Encryption by Enciphering Viet Tung Hoang UC San Diego vth005@eng.ucsd.edu Ted rovetz Sacramento State ted@krovetz.net Phillip Rogaway UC Davis rogaway@cs.ucdavis.edu March 15, 2014 The
More informationAuthenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol
Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol Mihir Bellare UC San Diego mihir@cs.ucsd.edu Tadayoshi Kohno UC San Diego tkohno@cs.ucsd.edu Chanathip Namprempre Thammasat
More informationGMU Hardware API for Authen4cated Ciphers
GMU Hardware API for Authen4cated Ciphers Ekawat Homsirikamol, William Diehl, Ahmed Ferozpuri, Farnoud Farahmand, Malik Umar Sharif, and Kris Gaj George Mason University USA http:/cryptography.gmu.edu
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationConcrete cryptographic security in F*
Concrete cryptographic security in F* crypto hash (SHA3) INT-CMA encrypt then-mac Auth. encryption Secure RPC some some some adversary attack attack symmetric encryption (AES). IND-CMA, CCA2 secure channels
More informationCompact Hardware Implementations of ChaCha, BLAKE, Threefish, and Skein on FPGA
Compact Hardware Implementations of ChaCha, BLAKE, Threefish, and Skein on FPGA Nuray At, Jean-Luc Beuchat, Eiji Okamoto, İsmail San, and Teppei Yamazaki Department of Electrical and Electronics Engineering,
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Message Authentication Codes Syntax: Key space K λ Message space M Tag space T λ MAC(k,m) à σ Ver(k,m,σ) à 0/1 Correctness: m,k,
More informationEncrypted Data Deduplication in Cloud Storage
Encrypted Data Deduplication in Cloud Storage Chun- I Fan, Shi- Yuan Huang, Wen- Che Hsu Department of Computer Science and Engineering Na>onal Sun Yat- sen University Kaohsiung, Taiwan AsiaJCIS 2015 Outline
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationInductive Trace Properties for Computational Security
Inductive Trace Properties for Computational Security Arnab Roy, Anupam Datta, Ante Derek, John C. Mitchell Department of Computer Science, Stanford University Abstract. Protocol authentication properties
More informationAuthenticated Encryption in the Face of Protocol and Side-Channel Leakage
Authenticated Encryption in the Face of Protocol and Side-Channel Leakage Guy Barwell, Daniel P. Martin, Elisabeth Oswald, Martijn Stam University of Bristol Crete, 13 October 2017 What s it about? Keywords
More informationA Brief Outlook at Block Ciphers
A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc, 10-09-2003 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable
More informationALE: AES-Based Lightweight Authenticated Encryption
ALE: AES-Based Lightweight Authenticated Encryption Andrey Bogdanov 1, Florian Mendel 2, Francesco Regazzoni 3,4, Vincent Rijmen 5, and Elmar Tischhauser 5 1 Technical University of Denmark 2 IAIK, Graz
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 4 Markus Bläser, Saarland University Message authentication How can you be sure that a message has not been modified? Encyrption is not
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More informationAutomated Security Proofs with Sequences of Games
Automated Security Proofs with Sequences of Games Bruno Blanchet and David Pointcheval CNRS, Département d Informatique, École Normale Supérieure October 2006 Proofs of cryptographic protocols There are
More informationLecture 3.4: Public Key Cryptography IV
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon
More informationAuthenticated and Misuse-Resistant Encryption of Key-Dependent Data
Authenticated and Misuse-Resistant Encryption of Key-Dependent Data Mihir Bellare and Sriram Keelveedhi Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive,
More informationConcrete Security of Symmetric-Key Encryption
Concrete Security of Symmetric-Key Encryption Breno de Medeiros Department of Computer Science Florida State University Concrete Security of Symmetric-Key Encryption p.1 Security of Encryption The gold
More informationTail-MAC: A Message Authentication Scheme for Stream Ciphers
Tail-MAC: A Message Authentication Scheme for Stream Ciphers Bartosz Zoltak http://www.vmpcfunction.com bzoltak@vmpcfunction.com Abstract. Tail-MAC, A predecessor to the VMPC-MAC, algorithm for computing
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationMore crypto and security
More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade
More informationChapter 6. Message Authentication. 6.1 The setting
Chapter 6 Message Authentication In most people s minds, privacy is the goal most strongly associated to cryptography. But message authentication is arguably even more important. Indeed you may or may
More informationAdvanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50
Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested
More information