Blockcipher-based Authentcated Encryption: How Small Can We Go? CHES 2017, Taipei, Taiwan

Similar documents
Updates on CLOC and SILC Version 3

Updates on CLOC and SILC

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2016 AEGIS 1

ASCON: A Submission to CAESAR Ch. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer Graz University of Technology CECC 2015

Optimization of Hardware Implementations with High-Level Synthesis of Authenticated Encryption

CLOC: Authenticated Encryption

On authenticated encryption and the CAESAR competition

The JAMBU Lightweight Authentication Encryption Mode (v2)

Software Benchmarking of the 2 nd round CAESAR Candidates

Benchmarking of Round 2 CAESAR Candidates in Hardware: Methodology, Designs & Results

APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography

DIAC 2015, Sept, Singapore

CLOC, SILC and OTR. Kazuhiko Minematsu (NEC Corporation) Recent Advances in Authenticated Encryption 2016 Kolkata, India

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2015 AEGIS 1

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

Implementation and Analysis of the PRIMATEs Family of Authenticated Ciphers

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

Ekawat Homsirikamol, William Diehl, Ahmed Ferozpuri, Farnoud Farahmand, Michael X. Lyons, Panasayya Yalla, and Kris Gaj George Mason University USA

Benchmarking of Round 3 CAESAR Candidates in Hardware: Methodology, Designs & Results

C vs. VHDL: Benchmarking CAESAR Candidates Using High- Level Synthesis and Register- Transfer Level Methodologies

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

The OCB Authenticated-Encryption Algorithm

Symmetric Cryptography 2016

Permutation-based Authenticated Encryption

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

How to Securely Release Unverified Plaintext in Authenticated Encryption

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Energy Evaluation of AES based Authenticated Encryption Algorithms (Online + NMR)

How to Use Your Block Cipher? Palash Sarkar

Looting the LUTs : FPGA Optimization of AES and AES-like Ciphers for Authenticated Encryption

Deoxys v1.41. Designers/Submitters: School of Physical and Mathematical Science, Nanyang Technological University, Singapore

Toward a New Methodology for Hardware Benchmarking of Candidates in Cryptographic Competitions: The CAESAR Contest Case Study

Symmetric Crypto MAC. Pierre-Alain Fouque

Multiple forgery attacks against Message Authentication Codes

Comb to Pipeline: Fast Software Encryption Revisited

Pipelineable On-Line Encryption (POE)

Pipelineable On-Line Encryption

OCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain

How to Securely Release Unverified Plaintext in Authenticated Encryption

Introduction to cryptology (GBIN8U16)

Cryptology complementary. Symmetric modes of operation

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes

Authenticated Encryption

Feedback Week 4 - Problem Set

Parallelizable and Authenticated Online Ciphers

OCB3 Block Specification

Prøst v1.1. Designers/Submitters. Elif Bilge Kavun 1 Martin M. Lauridsen 2 Gregor Leander 1 Christian Rechberger 2 Peter Schwabe 3.

On Symmetric Encryption with Distinguishable Decryption Failures

Authenticated Encryption: How Reordering can Impact Performance

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Advanced Cryptography 1st Semester Symmetric Encryption

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Lecture 9 Authenticated Encryption

Stateful Key Encapsulation Mechanism

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Proofs for Key Establishment Protocols

ECE 646 Lecture 8. Modes of operation of block ciphers

Distributed ID-based Signature Using Tamper-Resistant Module

Comb to Pipeline: Fast Software Encryption Revisited

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

The Extended Codebook (XCB) Mode of Operation

Message authentication codes

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Authenticated Encryption

Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

symmetric cryptography s642 computer security adam everspaugh

Cryptography. Andreas Hülsing. 6 September 2016

CS155. Cryptography Overview

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

CRYPTREC Cryptographic Technology Guideline (Lightweight Cryptography)

AES as A Stream Cipher

Ascon v1.2. Submission to the CAESAR Competition. Christoph Dobraunig, Maria Eichlseder, Florian Mendel, Martin Schläffer

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

symmetric cryptography s642 computer security adam everspaugh

AEZ v1: Authenticated-Encryption by Enciphering

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

GMU Hardware API for Authen4cated Ciphers

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Concrete cryptographic security in F*

Compact Hardware Implementations of ChaCha, BLAKE, Threefish, and Skein on FPGA

Goals of Modern Cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Encrypted Data Deduplication in Cloud Storage

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Inductive Trace Properties for Computational Security

Authenticated Encryption in the Face of Protocol and Side-Channel Leakage

A Brief Outlook at Block Ciphers

ALE: AES-Based Lightweight Authenticated Encryption

Katz, Lindell Introduction to Modern Cryptrography

Stream Ciphers An Overview

Automated Security Proofs with Sequences of Games

Lecture 3.4: Public Key Cryptography IV

Authenticated and Misuse-Resistant Encryption of Key-Dependent Data

Concrete Security of Symmetric-Key Encryption

Tail-MAC: A Message Authentication Scheme for Stream Ciphers

Lecture 1 Applied Cryptography (Part 1)

Symmetric Encryption 2: Integrity

More crypto and security

Chapter 6. Message Authentication. 6.1 The setting

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Transcription:

Blockcipher-based Authentcated Encryption: How Small Can We Go? Avik Chakraborti (NTT Secure Platform laboratories, Japan) Tetsu Iwata (Nagoya University, Japan) Kazuhiko Minematsu (NEC Corporation, Japan) Mridul Nandi (Indian Statistical Institute, India) CHES 2017, Taipei, Taiwan September, 2017 COFB 1

1 Introduction 2 3 4 5 COFB 2

Authenticated Encryption (AE) Figure: Data Transmission (Taken from [3]) A symmetric encryption scheme AE =(K, E, D) E : K M N A!C D : K C N A! M [ {?} C set of tagged ciphertexts?: special symbol to denote reject Goal Primitive Security Privacy Symmetric Encryption IND-CCA/CPA Integrity MAC UF-CMA COFB 3

Authenticated Encryption (AE) Input M, A, N, K Output C K -Keyspace,M - Message space, N - Nonce space, A -AssociatedDataspace,C -Ciphertext space Nonce Arbitrary number used only once for each encryption Useful as initialization vectors. Example: Counter Associated Data Header of the Message (not encrypted but authenticated) Example: IP Address COFB 4

Authenticated Encryption (AE) Why AE? In practice both privacy and authenticity are desirable Example taken from [3]: A doctor wishes to send medical information about Alice to the medical database. Then We want data privacy to ensure Alice s medical records remain confidential We wantintegrity to ensure the person sending the information is really the doctor and the information was not modified in transit We refer to this as authenticated encryption COFB 5

Security of Authenticated Encryption [4] Privacy We want IND-CPA Integrity Adversary s goal: Receiver accepts a forged tuple ((C, T ), N, A) INT-CTXT: Any forged tuple is rejected with high probability Goal - IND-CPA + INT-CTXT COFB 6

Unified AE Security Adversary A runs in time t A makes q enc queries ( enc blocks) q f forge queries ( f forge blocks) Adv AE E (A) = A((E K, D K ); ($,?)) $returnsarandom string from the range set of E K? oracle always returns? Adv AE E ((q, q f ), (, f ), t) =max A Adv AE E (A) COFB 7

Construction of AE Scheme Several Ways of Designing AE Blockcipher(BC) based, Streamcipher(SC) based, Permutation based etc. We consider BC based AE BC Based AE Sequential nonce-based AE: CLOC, SILC Parallel on-line AE: ELmD, COPA, COLM Parallel nonce-based AE: OCB, OTR Our target: Sequential nonce-based AE Need to design Feedback function COFB 8

Possible Options for Feedback Message Feedback Current M[i] isthefeedbackx [i] forthenextbccall Ciphertext Feedback Current C[i] isthefeedbackx [i] Output Feedback Previous BC output Y [i 1] is the feedback X [i] We Use Combined Feedback First 3 can not fullfill our needs (small state rate-1 AE) X [i] can not be computed by exactly one of M[i], C[i], Y [i 1] COFB 9

Di erent Feedback Modes and COFB (Combined Feedback) Mode X[i 1] M[i] X[i 1] X[i 1] X[i 1] R R R X[i] X[i] M[i] X[i] M[i] M[i] R G X[i] C[i] C[i] C[i] Message feedback Ciphertext feedback Output feedback C[i] Combined feedback COFB 10

Design of COFB AE Security Bounds Properties 1 Introduction 2 Design of COFB AE Security Bounds Properties 3 4 5 COFB 11

Goal of This Design Design of COFB AE Security Bounds Properties Lightweight AE mode Use low storage Standard security bound (close to the birthday bound on block size) Security proof in the standard model Smaller hardware area than the existing ones Very low number of gates other than the BC COFB 12

Design Rationale and Challenges Design of COFB AE Security Bounds Properties COFB: Uses Combined Feedback It needs n bits for storing the BC state It needs k bits for storing the BC key It needs n/2 bitsmoreformasking Each BC input is masked in a similar manner to XEX [7] TBC But here mask is only n/2 bits instead of n Su cient for standard security bound: thanks to our feedback function COFB 13

Design of COFB AE Security Bounds Properties Benchmarking in Terms of State Size Rate: Data block/bc calls Scheme State Size Rate Security Proof COFB 1.5n + k 1 Yes 1 JAMBU [9] 1.5n + k 2 Yes (Integrity only) 1 CLOC/ SILC [5, 6] 2n + k 2 Yes ifeed [10] 3n + k 1 Yes (Was Wrong)(attack in [8]) OCB [7] 3n + k 1 Yes 1 COLM [2] 3n + k 2 Yes COFB 14

COFB AE Mode Design of COFB AE Security Bounds Properties = E K (N) [n/4+1..3n/4] mask (a, b) = a (1 + ) b (Tweak fn described later) 1 (y, A) :=G y A (y, M) =( 1 (y, M), y M) G: Fullrankmatrix6= I (, 1 described later) For B = A/M If B 6= ^ ndivides B Then B =1 Else B =2 mask (1, 0) mask (2, 0) mask (2, A) 0 n/2 N Z[1] Z[2] Z[3] X[1] X[2] X[3] EK EK EK EK Y [0] Y [1] Y [2] A[1] 1 A[2] 1 A[3] 1 Y [3] mask (3, A) mask (4, A) mask (4, A + M ) X [1] X [2] X [3] X[4] X[5] X[6] Y [3] EK EK EK Y [4] Y [5] Y [6] M[1] 1 M[2] M[3] T C[1] C[2] C[3] COFB 15

Design of COFB AE Security Bounds Properties Instantiation of COFB AE Mode : COFB-AES Underlying BC We use AES-128 as the underlying BC n = 128 Mask Function mask - mask is a simple tweak update function 1 and Functions 1 and Functions - Simple linear feedback functions Last block has a di erent tweak COFB 16

Tweak Function Design of COFB AE Security Bounds Properties - 64-bit value derived from encryption of nonce Standard size is 128 bits but 64 bits are su cient Computed/updated by mask (a, b) = a (1 + ) b. - primitive element of F 2 64 This idea has been taken from XEX [7] (but masked length is halved) (a, b) 2 [0..L] [0..4], L be the message length in blocks COFB 17

Design of COFB AE Security Bounds Properties Linear Feedback Functions 1 and 1 (y, M) :=G y M and (y, M) =( 1 (y, M), y M) G :(y 1, y 2, y 3, y 4 )! (y 2, y 3, y 4, y 4 y 1 ) 0 1 0 I 0 0 G n n = B0 0 I 0 C @ 0 0 0 IA I 0 0 I COFB 18

Security Level for COFB-AES Design of COFB AE Security Bounds Properties Security Bound for Privacy Nonce-respecting adversary Almost Birthday Bound of 64 bits for Privacy Security Bound for Authenticity Nonce-respecting adversary Almost Birthday Bound of 64 bits for Authenticity COFB mode is secure upto O( 2n/2 n ) queries (almost birthday bound with block size n) COFB 19

Important Features of COFB AE Design of COFB AE Security Bounds Properties Advantages Rate =1 Very low state size of 1.5n + k (n: state size, k: keysize) Very flexible mode (any BC can be used) inverse-free Simple linear feedback Very lightweight and consumes low hardware area Limitations Both the encryption and decryption are completely serial COFB 20

1 Introduction 2 3 4 5 COFB 21

Cycles per Byte Performance of COFB-AES Message length (Bytes) Algorithm 16 32 64 128 256 512 1024 2048 4096 16384 32768 COFB-AES 2.93 2.22 1.86 1.68 1.59 1.54 1.52 1.51 1.50 1.50 1.50 ablockad,mblockm cycle count = 12 + 12(a+m) + 11 In this calculation, we assume a = m cpb = cycle count len len is length of M in bytes COFB 22

Cycles per Byte Performance of COFB-AES 3.0 2.7 " cpb 2.4 2.1 1.8 1.5 16 32 64 128 256 512 1024 2048 4096 8192 16384 32768 Message Length! COFB 23

COFB-AES Base Architecture AD/M 128 0 64 N 128 128 State 128 64 chop Key 128 128 0 64 128 128 128 64 AES r tweak 128 128 128 64 T C COFB 24

COFB-AES Base Architecture Properties Serial processing of data Round-based architecture of AES Processes 128 bits per 12 clock cycles Uses very low storage registers Minimum hardware area among all the known implementations No pipelined register COFB 25

FSM for COFB-AES Base Architecture Start Reset St Load St AES Reset St AES Module FSM End St AES Start St Release Tag St If Final Block AES Round St Roundctr< 10 Compute Add Mask St Else, EOM, iscomplete AES Done St Roundctr= 10 COFB 26

COFB-AES FPGA Implementation Informations VHDL, Platform - Virtex 6, 7 Under Xilinx 13.4 Not compatible with GMU s ATHENa interface [1] Base Implementation Results Platform #Slice Frequency Mbps/ Mbps/ #LUTs #Slices Gbps Registers (MHZ) LUT Slice Virtex 6 722 1075 442 267.20 2.85 2.24 6.45 Virtex 7 722 1456 555 264.24 2.82 2.22 5.08 COFB 27

Benchmarking of COFB-AES on Virtex 6 Scheme #LUT #Slices Gbps Mbps / LUT Mbps / Slices ACORN (SC Based) 455 135 3.112 6.840 23.052 PRIMATES-HANUMAN (Sponge) 1012 390 0.964 0.953 2.472 COFB-AES 1075 442 2.850 2.240 6.450 JAMBU-SIMON (BC Based) 1222 453 0.363 0.297 0.801 Ketje (Sponge) 1270 456 7.345 5.783 16.107 ASCON (Sponge) 1271 413 3.172 2.496 7.680 Joltik (TBC Based) 1292 442 0.853 0.660 0.826 JAMBU-AES (BC Based) 1836 652 1.999 1.089 3.067 SCREAM (TBC Based) 2052 834 1.039 0.506 1.246 NORX (Sponge) 2964 1016 11.029 3.721 10.855 TriviA-ck (SC Based) 2118 687 15.374 7.259 22.378 Minalpher (BC Based) 2879 1104 1.831 0.636 1.659 SILC (BC Based) 3066 921 4.040 1.318 4.387 DEOXYS (TBC Based) 3143 951 2.793 0.889 2.937 CLOC (BC Based) 3145 891 2.996 0.488 1.724 AES-GCM (BC Based) 3175 1053 3.239 1.020 3.076 OCB (BC Based) 4249 1348 3.122 0.735 2.316 ELmD (BC Based) 4302 1584 3.168 0.736 2.091 AEZ (BC Based) 4597 1246 8.585 0.747 2.756 AES-OTR (BC Based) 5102 1385 2.741 0.537 1.979 Tiaoxin (BC Based) 7123 2101 52.838 7.418 25.149 AEGIS (BC Based) 7592 2028 70.927 9.342 34.974 AES-COPA (BC Based) 7754 2358 2.500 0.322 1.060 COFB 28

1 Introduction 2 3 4 5 COFB 29

Conclusion COFB : BC based AE Secure up to O(2 n/2 /n) queries Low area AE and can be used in low resource embedded devices COFB 30

1 Introduction 2 3 4 5 COFB 31

ATHENa: Automated Tool for Hardware Evaluation. https://cryptography.gmu.edu/athena/. Elena Andreeva, Andrey Bogdanov, Nilanjan Datta, Atul Luykx, Bart Mennink, Mridul Nandi, Elmar Tischhauser, and Kan Yasuda. COLM v1. CAESAR Competition. Mihir Bellare. AUTHENTICATED ENCRYPTION. https://cseweb.ucsd.edu/~mihir/cse207/s-ae.pdf. Mihir Bellare and Chanathip Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. COFB 31

In Advances in Cryptology - ASIACRYPT 2000, 6th International Conference on the Theory and Application of Cryptology and Information Security, Kyoto, Japan, December 3-7, 2000, Proceedings, pages 531 545, 2000. Tetsu Iwata, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi. CAESAR Candidate CLOC. DIAC 2014. Tetsu Iwata, Kazuhiko Minematsu, Jian Guo, Sumio Morioka, and Eita Kobayashi. CAESAR Candidate SILC. DIAC 2014. Phillip Rogaway. E cient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC. COFB 31

In ASIACRYPT, pages 16 31, 2004. Willem Schroé, Bart Mennink, Elena Andreeva, and Bart Preneel. Forgery and subkey recovery on CAESAR candidate ifeed. In Selected Areas in Cryptography - SAC 2015-22nd International Conference, Sackville, NB, Canada, August 12-14, 2015, Revised Selected Papers, pages 197 204, 2015. Hongjun Wu and Tao Huang. The JAMBU Lightweight Authentication Encryption Mode (v2). CAESAR Competition. Liting Zhang, Wenling Wu, Han Sui, and Peng Wang. ifeed[aes] v1. CAESAR Competition. COFB 32

Thank you COFB 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback