CLOC: Authenticated Encryption

Similar documents
Updates on CLOC and SILC Version 3

Updates on CLOC and SILC

CLOC, SILC and OTR. Kazuhiko Minematsu (NEC Corporation) Recent Advances in Authenticated Encryption 2016 Kolkata, India

The OCB Authenticated-Encryption Algorithm

Blockcipher-based Authentcated Encryption: How Small Can We Go? CHES 2017, Taipei, Taiwan

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2016 AEGIS 1

Feedback Week 4 - Problem Set

The JAMBU Lightweight Authentication Encryption Mode (v2)

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

ECE 646 Lecture 8. Modes of operation of block ciphers

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

Symmetric Crypto MAC. Pierre-Alain Fouque

Some Aspects of Block Ciphers

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Message authentication codes

History of message integrity techniques

Authenticated Encryption

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

Misuse-resistant crypto for JOSE/JWT

Pipelineable On-Line Encryption (POE)

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2015 AEGIS 1

How to Use Your Block Cipher? Palash Sarkar

symmetric cryptography s642 computer security adam everspaugh

Provably Secure MACs from Differentially-uniform Permutations and AES-based Implementations

Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Block Cipher Operation

Permutation-based Authenticated Encryption

Storage Encryption: A Cryptographer s View. Shai Halevi IBM Research

Computer Security CS 526

Content of this part

COMP4109 : Applied Cryptography

Block Cipher Operation. CS 6313 Fall ASU

Authenticated encryption

PKCS #11 Message-Based Encryption and Decryption

The Salsa20 Family of Stream Ciphers

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Stream Ciphers. Stream Ciphers 1

Authenticated Encryption in TLS

Sensor Networks. Xueying Zhang, Howard M. Heys, and Cheng Li. Electrical and Computer Engineering. Faculty of Engineering and Applied Science

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

Authenticated Encryption

Authenticated Encryption in the Face of Protocol and Side-Channel Leakage

Solutions to exam in Cryptography December 17, 2013

Scanned by CamScanner

CIS 4360 Secure Computer Systems Symmetric Cryptography

PKCS #11 Message-Based Encryption and Decryption

CSC 474/574 Information Systems Security

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

OCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain

MTAT Applied Cryptography

The Security and Performance of the Galois/Counter Mode (GCM) of Operation (Full Version)

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Network Working Group Request for Comments: Category: Standards Track August 2008

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

IDEA, RC5. Modes of operation of block ciphers

05 - WLAN Encryption and Data Integrity Protocols

Katz, Lindell Introduction to Modern Cryptrography

CENG 520 Lecture Note III

Introducing the PIC24F GB2 MCU Family: extreme Low Power with Hardware Crypto Engine

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Symmetric-Key Cryptography

A Surfeit of SSH Cipher Suites

Intel Software Guard Extensions (Intel SGX) Memory Encryption Engine (MEE) Shay Gueron

IND-CCA2 secure cryptosystems, Dan Bogdanov

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Crypto: Symmetric-Key Cryptography

Deoxys v1.41. Designers/Submitters: School of Physical and Mathematical Science, Nanyang Technological University, Singapore

Message Authentication ( 消息认证 )

CS155. Cryptography Overview

Securing Your Wireless LAN

in a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a

Goals of Modern Cryptography

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Summary on Crypto Primitives and Protocols

Software Implementation And Evaluation Of Lightweight Symmetric Block Ciphers Of The Energy Perspectives And Memory

Elastic Block Ciphers: The Feistel Cipher Case

Lecture 1 Applied Cryptography (Part 1)

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

The Calico Family of Authenticated Ciphers

Symmetric Encryption. Thierry Sans

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Block Cipher Modes of Operation

Multiple forgery attacks against Message Authentication Codes

Information Security CS526

Symmetric Encryption 2: Integrity

symmetric cryptography s642 computer security adam everspaugh

Cryptography 2017 Lecture 3

Key Encryption as per T10/06-103

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

DIAC 2015, Sept, Singapore

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

1 Defining Message authentication

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Symmetric Cryptography 2016

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

NIST s Lightweight Crypto Standardization Process

Transcription:

CLOC: Authenticated Encryption for Short Input Tetsu Iwata, Nagoya University Kazuhiko Minematsu, NEC Corporation Jian Guo, Nanyang Technological University Sumio Morioka, NEC Europe Ltd. FSE 2014 March 3, 2014, London, UK 1

Outline Anew authenticated encryption with associate data scheme (AEAD) CLOC: Compact Low Overhead CFB, pronounced as clock 2

CLOC Design Goal Provably secure AEAD that is based on a blockcipher Standard security notions for privacy and authenticity To improve previous schemes, CCM, EAX, and EAX prime the implementation overhead beyond the blockcipher the precomputation complexity the memory requirement 3

CLOC Design Goal Suitable for handling short input data, say 16 bytes, without needing precomputation nor large memory Suitable for small microprocessors, where the word size is typically 8 bits or 16 bits, and there are significant restrictions in the size and the number of registers 4

CCM, EAX, and EAX Prime AEADs based on a blockcipher CCM (NIST SP 800 38C) not online EAX (ISO/IEC 19772) precomputation costs (L = E K (0), 2L, 4L, E K (1), and E K (2)) time and memory EAX prime (ANSI C12.22) efficiently handles short input data with small memory practical attacks CLOC removes these limitations remove L= E K (0) or doubling operations over GF(2 n ) 5

Short Input Data Performance for short input data matters: Low power sensor networks Zigbee: at most 127 bytes Bluetooth Low Energy: at most 47 bytes Electronic Product Code (EPC): typically 96 bits For long input data, the efficiency of CLOC is the same as CCM, EAX, and EAX prime 2 blockcipher calls per 1 plaintext block CLOC is for short input data 6

CLOC Properties Nonce based AEAD uses only the encryption of the blockcipher both for encryption and decryption When A 1, it makes N n + A n + 2 M n blockcipher calls for a nonce N, associated data A, and a plaintext M where X is the length of X in bits and X n is the length in n bit blocks 1 N n 1, so N n = 1 No precomputation (blockcipher calls, generation of key dependent tables,... ) is needed when A = 0, it needs N n + 1 + 2 M n calls 7

CLOC Properties For short input data 1 block nonce, 1 block associated data, and 1 block plaintext CLOC: 4 calls CCM: 5 or 6 calls EAX: 7 calls (where 3 out of 7 can be precomputed) EAX prime: 5 calls (where 1 out of 5 can be precomputed) Static associated data can be handled efficiently It works with two state blocks (i.e. 2n bits) Sequential 8

Overview of the Scheme Encrypt then PRF paradigm uses a variant of CFB mode in its encryption part and a variant of CBC MAC in the authentication part 9

Tools The one zero padding function: ozp ozp(x) = X if X =jn for some j > 0, and ozp(x) = X 10 0 The tweak functions: f 1, f 2, g 1, g 2, and h use them to directly update the state The bit fixing functions: fix0 and fix1 fix0(x): overwrite msb 1 (X) with 0 fix1(x): overwrite msb 1 (X) with 1 fix1(0000) = 1000, fix1(1100) = 1100 10

V < HASH K (A,N) A variant of CBC MAC 1 N n 1 11

V < HASH K (A,N) A variant of CBC MAC 1 N n 1 12

V < HASH K (A,N) A variant of CBC MAC 1 N n 1 13

V < HASH K (A,N) A variant of CBC MAC 1 N n 1 14

C < ENC K (V,M) A variant of CFB mode 15

T < PRF K (V,C) A variant of CBC MAC 16

T < PRF K (V,C) A variant of CBC MAC g 1 is used when C =0 17

Rationale The bit fixing functions used to logically separate CBC MAC and CFB mode otherwise, attacks are possible 18

Rationale The tweak functions There are 55 differential probability constraints Kxorf 1 (K), f 1 (K) xor g 1 (f 1 (h(k))),... Define a matrix M as K M = (K[1], K[2], K[3], K[4]) M = (K[2], K[3], K[4], K[1] xor K[2]) 19

20

Rationale The tweak functions associate (i 1, i 2, i 3, i 4, i 5 ) {1,..., 14} 5 with (f 1, f 2, g 1, g 2, h) f 1 : M i1, f 2 : M i2, g 1 : M i3, g 2 : M i4, h: M i5 Tested all (i 1, i 2, i 3, i 4, i 5 ) {1,..., 14} 5 e.g., K xor f 1 (K): the rank of I xor M i1 is full (I is the identity matrix) 14 5 > 864 candidates Defined a cost function to choose the best exponentiations roughly measures the computational cost of (f 1, f 2, g 1, g 2, h) (i 1, i 2, i 3, i 4, i 5 ) = (8, 1, 2, 1, 4) 21

Works with Two State Blocks 22

Security Privacy: Indistinguishability of ciphertexts from random bits against nonce respecting adversaries in a chosen plaintext attack setting 23

Security Authenticity: Unforgeability against nonce reusing adversaries in a chosen ciphertext attack setting A strong adversary 24

Software Implementation Embedded software Atmel AVR ATmega128 8 bit microprocessor AES from [AVR Crypto Lib] written in assembler 156.7 cpb for encryption, 196.8 cpb for decryption CLOC, EAX, and OCB3 modes are written in C OCB3 code from [OCB News and Code] w/ modification doubling operations are on line, large precomputation may not be suitable to handle short input data for microprocessors compiled with Atmel Studio 6 25

Software Implementation 1 block AD, no static AD computation cycle counting is obtained by the simulation of Atmel Studio 6 RAM is measured with a public tool [EZSTACK] In CLOC, the RAM usage is low and Init is fast, and it is fast for short input data, up to around 128 bytes 26

Software Implementation updated from the pre proceedings 27

Software Implementation General purpose CPU Intel processor, Core i5 3427U 1.80GHz (Ivy Bridge family) AES 128, AES NI CLOC: about 4.9 cpb for long input data (more than 2 20 blocks) AES calls in CFB mode and CBC MAC (in tag generation) can be done in parallel 28

Software Implementation For long input data, CLOC is close to the speed of serial encryption only mode (CBC mode) CLOC: about 4.9 cpb serial AES 128 encryption: about 4.3 cpb 29

Software Implementation For long input data, CLOC is close to the speed of serial encryption only mode (CBC mode) CLOC: about 4.9 cpb serial AES 128 encryption: about 4.3 cpb 30

Software Implementation For long input data, CLOC is close to the speed of serial encryption only mode (CBC mode) CLOC: about 4.9 cpb serial AES 128 encryption: about 4.3 cpb 31

Hardware Implementation Not the main focus Altera FPGA, Cyclone IV GX (EP4CGX110DF31C7) w/ AES 128, composite field S box implementation, roundbased architecture Size is measured in terms of LEs (logic elements) one block of associated data and 8 blocks of plaintexts Slightly smaller and faster than EAX 32

Conclusions Designed CLOC and analyzed the security and the efficiency CLOC is designed to efficiently handle short input data and suitable for use in small microprocessors it works without heavy precompuation nor large memory 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback