The OCB Authenticated-Encryption Algorithm

Similar documents
ECE 646 Lecture 8. Modes of operation of block ciphers

CLOC: Authenticated Encryption

Updates on CLOC and SILC

Updates on CLOC and SILC Version 3

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

OCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain

Message authentication codes

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

symmetric cryptography s642 computer security adam everspaugh

Lecture 9 Authenticated Encryption

The JAMBU Lightweight Authentication Encryption Mode (v2)

Authenticated Encryption

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Symmetric Crypto MAC. Pierre-Alain Fouque

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Feedback Week 4 - Problem Set

How to Use Your Block Cipher? Palash Sarkar

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

IDEA, RC5. Modes of operation of block ciphers

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

OCB3 Block Specification

Multiple forgery attacks against Message Authentication Codes

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Authenticated Encryption

PKCS #11 Message-Based Encryption and Decryption

Pipelineable On-Line Encryption (POE)

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

On Symmetric Encryption with Distinguishable Decryption Failures

Network Working Group Request for Comments: Category: Standards Track August 2008

Block ciphers, stream ciphers

Blockcipher-based Authentcated Encryption: How Small Can We Go? CHES 2017, Taipei, Taiwan

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Storage Encryption: A Cryptographer s View. Shai Halevi IBM Research

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Misuse-resistant crypto for JOSE/JWT

symmetric cryptography s642 computer security adam everspaugh

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Permutation-based Authenticated Encryption

On Re-keying Mechanisms for Extending The Lifetime of Symmetric Keys draft-smyshlyaev-re-keying

Cryptology complementary. Symmetric modes of operation

Deep Tech Analysis to AES-GCM in TLS 1.2 and IPSec-v3. Richard Wang and Ed Morris May 20, 2016 International Crypto Module Conference

Crypto: Symmetric-Key Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

AES-CMCC v1.1. Designer: Jonathan Trostle. Submitter: Jonathan Trostle

DIAC 2015, Sept, Singapore

Computer Security CS 526

Goals of Modern Cryptography

Authenticated Encryption in the Face of Protocol and Side-Channel Leakage

The Extended Codebook (XCB) Mode of Operation

The Security and Performance of the Galois/Counter Mode (GCM) of Operation (Full Version)

Lecture 1 Applied Cryptography (Part 1)

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2016 AEGIS 1

The Software Performance of Authenticated-Encryption Modes

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

Summary on Crypto Primitives and Protocols

Authenticated Encryption: How Reordering can Impact Performance

PKCS #11 Message-Based Encryption and Decryption

CLOC, SILC and OTR. Kazuhiko Minematsu (NEC Corporation) Recent Advances in Authenticated Encryption 2016 Kolkata, India

1 Achieving IND-CPA security

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Tail-MAC: A Message Authentication Scheme for Stream Ciphers

A Chosen-key Distinguishing Attack on Phelix

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

History of message integrity techniques

CS155. Cryptography Overview

OCB Mode. Phillip Rogaway. Department of Computer Science UC Davis + CMU

Stateful Key Encapsulation Mechanism

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Symmetric Encryption 2: Integrity

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

The Definition and Software Performance of Hashstream, a Fast Length-Flexible PRF

The Galois/Counter Mode of Operation (GCM)

Uses of Cryptography

Introduction to cryptology (GBIN8U16)

Information Security CS526

A Surfeit of SSH Cipher Suites

Scanned by CamScanner

Homework 3: Solution

Authenticated Encryption in TLS

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Strong Privacy for RFID Systems from Plaintext-Aware Encryption

Content of this part

Ac,ve a4acks on CPA- secure encryp,on

CS155. Cryptography Overview

APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Message Authentication ( 消息认证 )

Symmetric and Password- based encrypdon. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

CS 161 Computer Security

The Galois/Counter Mode of Operation (GCM) 170 West Tasman Drive 4100 Lafayette Center Drive, Suite 100 San Jose, CA Chantilly, VA 20151

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

05 - WLAN Encryption and Data Integrity Protocols

How to Securely Release Unverified Plaintext in Authenticated Encryption

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Parallelizable and Authenticated Online Ciphers

Transcription:

The OCB Authenticated-Encryption Algorithm Ted Krovetz California State University, Sacramento, USA Phillip Rogaway University of California, Davis, USA IETF 83 Paris, France CFRG 11:20-12:20 in 212/213 March 30, 2012 1

Why am I here? I ve not attended standards meetings Underused academic work of mine, 2001-11 (OCB David McGrew explained that someone must present OCB for the RG sponsor it. Not clear it matters if the RFC is sponsored, but seems more consistent with the maturity and degree of review. 2

What is authenticated-encryption (AE) Symmetric encryption that simultaneously provides privacy and authenticity Historically: Encryption only for privacy IND-CPA Separate tool, a MAC, for authenticity Why AE? - Simper-to-correctly use - Efficiency improvements possible 3

AE Scheme N M AD Enc coins C ^} Move the coins out Make nonce sufficient Build in authenticity Add associated data K 4

AE Scheme nonce associated data plaintext N AD M key K Enc encryption (deterministic) ciphertext C 5

AE Scheme nonce associated data ciphertext N AD C key K Dec decryption (deterministic) plaintext or ^ M 6

AE Security N, AD, M Enc K (,, ) C C $ Enc K (,, ) A Dec K (,, ) M ^ ^ (,, ) N, AD, C ae P Adv (A) = Pr[A Enc K Dec K 1] - Pr[A $ ^ 1] A may not repeat an encryption query or ask a decryption query (N, AD, C) where C was previously returned by an (N, AD, ) encryption query. 7

Approaches to achieving AE Confusion/diffusion: one atomic primitive * Helix, SOBER, Composed: ind$-secure symmetric encryption + PRF * EtM, MtE, E&M [folklore; BN 2000] * CCM [WHF 2002; NIST 800-38c] * GCM [MV 2004; NIST 800-38D] Integrated: blend privacy/authenticity parts * OCB [RBBK 2001, R2004, KR 2011]; following [Jutla 2001] 8

CCM Mode Whiting, Housley, Ferguson 2002 NIST SP 800-38C RFC 3610, 4309, 5084 9

CCM Mode Whiting, Housley, Ferguson 2002 NIST SP 800-38C RFC 3610, 4309, 5084, 5116 Provably secure AE if E is a good PRP Widely used, standardized (eg, in 802.11) About 2m blockcipher calls Half of them non-parallelizable Not online need to know m in advance 10

GCM Mode with 96-bit nonce McGrew, Viega 2004 NIST SP 800-38D RFC 4106, 5084, 5116, 5288, 5647 11

GCM Mode McGrew, Viega 2004 NIST SP 800-38D RFC 4106, 5084, 5116, 5288, 5647 Provably secure AE if E is a good PRP Poor bound if truncate tag too much (Ferguson, 2005) (don t truncate <96 bits) Published proof is buggy [Iwata, 2012] Used in: IPSec, P1619.1, TLS, About m blockcipher calls, all of them parallelizable Efficient implementation in HW Efficient implementation in SW with preprocessing & tables, or HW support Timing attacks may be possible 12

OCB Mode [RBBK01, R04, KR10] following [J01,GD01,LR02] = M 1 M 2 M 3 M 4 13

OCB, in full 14

Provably secure AE (if blockcipher a strong PRP) Good bound (no problem to truncate tag) Most software-efficient AE scheme No timing attacks (if underlying blockcipher immune) Comprehensive literature RBBK01 CCS 2001 A blockcipher mode of operation for efficient AE Ro02 Ro04 KR11 OCB Mode CCS 2002 Authenticated-encryption with associated data Asiacrypt 2004 Efficient instantiations of TBCs and refinements to OCB FSE 2011 The software performance of AE modes Standardized in ISO/IEC 19772 Not widely used 15

[KR11] Software Performance Intel Core x86 i5-650 Clarkdale 64-bit OS, using AES/GCM NIs Mode Peak cpb CCM 4.17 GCM 3.73 OCB 1.48 CTR 1.27 Time 16

[KR11] Software Performance Intel Core x86 i5-650 Clarkdale 64-bit OS, using AES/GCM NIs Mode Peak cpb CCM 2.09 GCM 2.46 OCB 0.21 Overhead 17

[KR11] Software Performance Intel Core x86 i7 Sandy Bridge 64-bit OS, using AES/GCM NIs Mode Peak cpb CCM 5.14 GCM 2.95 OCB 0.87 Time 18

Key Differences Increment AD Cipher calls Stalls OCB1 (2001) Table No m+2 2 OCB2 (2004) shift, xor Yes m+2 2 OCB3 (20011) Table Yes m+1.02 0 Non-Differences Bounds, ciphertext length, parallelizability, timing-attack resistance. 19

[KR11] Software Performance Intel Core x86 i5-650 Clarkdale 64-bit OS, using AES/GCM NIs Time OCB variants Mode Peak cpb CCM 4.17 GCM 3.73 OCB1 1.48 OCB2 1.80 OCB3 1.48 CTR 1.27 20

Final Comments Very mature algorithm. No further refinements Significant advantages to CCM and GCM software speed (CCM, GCM) parallelizability (CCM) key agility (GCM) online (CCM) tag truncation (GCM) Trying to get all parties to agree to free licensing for all SW (or at least all open-source SW) www.cs.ucdavis.edu/~rogaway/ocb optimized C code performance graphs Questions? 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback