OCB Mode. Mihir Bellare UCSD John Black UNR Ted Krovetz Digital Fountain

Similar documents
OCB Mode. Phillip Rogaway. Department of Computer Science UC Davis + CMU

The OCB Authenticated-Encryption Algorithm

OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Practical Symmetric On-line Encryption

symmetric cryptography s642 computer security adam everspaugh

Lecture 8 - Message Authentication Codes

On Symmetric Encryption with Distinguishable Decryption Failures

How to Use Your Block Cipher? Palash Sarkar

PMAC: A Parallelizable Message Authentication Code

Authenticated Encryption

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Authenticated Encryption: How Reordering can Impact Performance

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Authenticated Encryption

symmetric cryptography s642 computer security adam everspaugh

Block ciphers, stream ciphers

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

CSE 127: Computer Security Cryptography. Kirill Levchenko

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

ECE 646 Lecture 8. Modes of operation of block ciphers

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Proofs for Key Establishment Protocols

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Homework 3: Solution

Some Aspects of Block Ciphers

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Symmetric Crypto MAC. Pierre-Alain Fouque

Blockwise-Adaptive Attackers

Authenticated encryption

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Cryptology complementary. Symmetric modes of operation

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

1 Achieving IND-CPA security

Information Security CS526

Feedback Week 4 - Problem Set

Computer Security CS 526

Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes

Multiple forgery attacks against Message Authentication Codes

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Crypto: Symmetric-Key Cryptography

Lecture 1: Perfect Security

Content of this part

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes

Does encryption with redundancy provide authenticity?

1 Defining Message authentication

What Can Be Proved About Security?

Data Integrity & Authentication. Message Authentication Codes (MACs)

Symmetric Encryption 2: Integrity

Advanced Cryptography 1st Semester Symmetric Encryption

Cryptography 2017 Lecture 3

Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes

Pipelineable On-Line Encryption (POE)

Chapter 7. Message Authentication. 7.1 The setting

CS155. Cryptography Overview

Chapter 6. Message Authentication. 6.1 The setting

Lecture 9 Authenticated Encryption

Refresher: Applied Cryptography

The Security of All-Or-Nothing Encryption: Protecting Against Exhaustive Key Search

Permutation-based Authenticated Encryption

CLOC: Authenticated Encryption

ISA 562: Information Security, Theory and Practice. Lecture 1

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Introduction to cryptology (GBIN8U16)

Accredited Standards Committee X9, Incorporated

Contents 1 Introduction 3 2 Definitions 5 3 Encoding Schemes 8 4 Enciphering Encoded Messages 10 References 15 2

Unit 8 Review. Secure your network! CS144, Stanford University

The Security and Performance of the Galois/Counter Mode (GCM) of Operation (Full Version)

CS 495 Cryptography Lecture 6

Network Security Essentials Chapter 2

The Software Performance of Authenticated-Encryption Modes

Lecture 10, Zero Knowledge Proofs, Secure Computation

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes

Misuse-resistant crypto for JOSE/JWT

Symmetric Cryptography

Concrete Security of Symmetric-Key Encryption

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Random Oracles - OAEP

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications

Lecture 18 - Chosen Ciphertext Security

CLOC, SILC and OTR. Kazuhiko Minematsu (NEC Corporation) Recent Advances in Authenticated Encryption 2016 Kolkata, India

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Brief Introduction to Provable Security

AES-CMCC v1.1. Designer: Jonathan Trostle. Submitter: Jonathan Trostle

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Blockcipher-based Authentcated Encryption: How Small Can We Go? CHES 2017, Taipei, Taiwan

CS408 Cryptography & Internet Security

Katz, Lindell Introduction to Modern Cryptrography

Cryptography. Andreas Hülsing. 6 September 2016

Transcription:

OCB Mode Phillip Rogaway Department of Computer Science UC Davis + Chiang Mai Univ rogaway@cs.ucdavis.edu http://www.cs.ucdavis.edu/~rogaway +66 1 530 7620 +1 530 753 0987 Mihir Bellare UCSD mihir@cs.ucsd.edu John Black UNR jrb@cs.unr.edu Ted Krovetz Digital Fountain tdk@acm.org Looking contact Ted! NIST Modes of Operation Workshop 2 Aug 24, 2001 - Santa Barbara, California Slide 1

Two Cryptographic Goals Privacy What the Adversary sees tells her nothing of significance about the underlying message M that the Sender sent Authenticity The Receiver is sure that the string he receives was sent (in exactly this form) by the Sender Authenticated Encryption Achieves both privacy and authenticity Nonce M K C Adversary C* K M * or invalid Sender Receiver Slide 2

Why Authenticated Encryption? Efficiency By merging privacy and authenticity one can achieve efficiency difficult to achieve if handling them separately Easier-to-correctly-use abstraction By delivering strong security properties one may minimize encryption-scheme misuse Slide 3

What does Encryption Do? Strong Idealized encryption Security community s favored view OCB Authenticated encryption: IND under CPA + auth of ciphertexts IND under CCA = NM under CCA [Bellare, Nampremre], [Katz, Yung] CTR, CBC$ IND under CPA [Bellare, Desai, Jokipii, Rogaway] Cryptographic community s favored view: sym encryption is for IND-CPA (and nothing more) ECB Weak No meaningful notion of privacy Slide 4

Right or Wrong? It depends on what definition E satisfies A K A. R A B K R B. E K (A. B. R A. R B. sk) E K (R B ) Slide 5

Generic Composition Traditional approach to authenticated encryption Glue together an encryption scheme ( E ) and a Message Authentication Code (MAC) Folklore approach. See [Bellare, Namprempre] and [Krawczyk] for analysis. Preferred way to do generic composition: C_core M Nonce E MAC Tag K enc K mac Nonce Slide 6

Generic Composition + Versatile, clean architecture + Reduces design work + Quick rejection of forged messages if use optimized MAC (eg., UMAC) + Inherits the characteristics of the modes one builds from -Cost (cost to encrypt) + (cost to MAC) For CBC Enc + CBC MAC, cost 2 (cost to CBC Enc) - Often misused - Two keys - Inherits characteristics of the modes one builds from Slide 7

Trying to do Better Numerous attempts to make privacy + authenticity cheaper One approach: stick with generic composition, but find cheaper privacy algorithm and cheaper authenticity algorithms Make authenticity an incidental adjunct to privacy within a conventional-looking mode CBC-with-various-checksums (wrong) PCBC in Kerberos (wrong) PCBC of [Gligor, Donescu 99] (wrong) [Jutla - Aug 00] First correct solution Jutla described two modes, IACBC and IAPM A lovely start, but many improvements possible OCB: inspired by IAPM, but many new characteristics Slide 8

What is OCB? Authenticated-encryption scheme Uses any block cipher (eg. AES) Computational cost cost of CBC OCB-AES good in SW or HW Lots of nice characteristics designed in: Uses M / n + 2 block-cipher calls Uses any nonce (needn t be unpredictable) Works on messages of any length Creates minimum-length ciphertext Uses a single block-cipher key, each block-cipher keyed with it Quick key setup suitable for single-message sessions Essentially endian-neutral Fully parallelizable No n-bit additions Provably secure: if you break OCB-AES you ve broken AES In IEEE 802.11 draft. Paper to appear at ACM CCS 01 Slide 9

... M [1] M [2] M [m-1] M [m] len Checksum Nonce + L(0) + Z[1] + Z[2] + Z[m-1] + Z[- m] + Z[m] E K E K E K... E K E K E K Pad Z[1] Z[2]... + Z[1] + Z[2] + Z[m-1] +... C[1] C[2] C[m-1] C[m] chop Tag τ Checksum = M[1] M[2] M[m-1] C[m]0* Pad Z[i] = Z[i-1] L(ntz(i)) L(0) = E K (0) and each L(i) obtained from L(i-1) by a shift and conditional xor Slide 10

Definition of OCB[E, t] algorithm OCB-Encrypt K (Nonce, M) L(0) = E K (0) L(-1) = lsb(l(0))? (L(0) >> 1) Const43 : (L(0) >>1) for i = 1, 2, do L(i) = msb(l(i-1))? (L(i-1) << 1) Const87 : (L(i-1) <<1) Partition M into M[1]... M[m] // each n bits, except M[m] may be shorter Offset = E K (Nonce L(0)) for i=1 to m-1 do Offset = Offset L(ntz(i)) C[i] = E K (M[i] Offset) Offset Offset = Offset L(ntz(m)) Pad = E K (len(m[m]) Offset L(-1)) C[m] = M[m] (first M[m] bits of Pad) Checksum = M[1]... M[m-1] C[m]0* Pad Tag = first τ bits of E K (Checksum Offset) return C[1]... C[m] Tag Slide 11

Assembly Speed Data from Helger Lipmaa www.tcs.hut.fi/~helger helger@tcs.hut.fi OCB-AES CBC-AES ECB-AES CBCMAC-AES // Best Pentium AES code known. Helger s code is for sale, btw. 16.9 cpb (271 cycles) 15.9 cpb (255 cycles) 14.9 cpb (239 cycles) 15.5 cpb (248 cycles) 6.5 % slower The above data is for 1 Kbyte messages. Code is pure Pentium 3 assembly. The block cipher is AES128. Overhead so small that AES with a C-code CBC wrapper is slightly more expensive than AES with an assembly OCB wrapper. C Speed Data from Ted Krovetz. Compiler is MS VC++. Uses rijndael-alg-fst.c ref code. OCB-AES 28.1 cpb (449 cycles) CBCMAC-AES 26.8 cpb (428 cycles) 4.9 % slower Slide 12

Why I like OCB Ease-of-correct-use. Reasons: all-in-one approach; any type of nonce; parameterization limited to block cipher and tag length Aggressively optimized: optimal in many dimensions: key length, ciphertext length, key setup time, encryption time, decryption time, available parallelism; SW characteristics; HW characteristics; Simple but highly non-obvious Ideal setting for practice-oriented provable security Slide 13

What is Provable Security? Provable security begins with [Goldwasser, Micali 82] Despite the name, one doesn t really prove security Instead, one gives reductions: theorems of the form If a certain primitive is secure then the scheme based on it is secure Eg: If AES is a secure block cipher then OCB-AES is a secure authenticated-encryption scheme Equivalently: If some adversary A does a good job at breaking OCB-AES then some comparably efficient B does a good job to break AES Actual theorems quantitative: they measure how much security is lost across the reduction. Slide 14

( The Power of Definitions Let s you carry on an intelligent conversation Let s you investigate the space of goals and how they are related Often let s you easily see when protocols are wrong Let s you prove when things are right, to the extent that we know how to do this. It took about an hour to break the NSA s Dual Counter Mode. What did I have that the NSA authors didn t? Just an understanding of a good definition for the goal. ) Slide 15

Privacy Indistinguishability from Random Bits [Goldwasser, Micali] [Bellare, Desai, Jokipii, Rogaway] Rand bits oracle Nonce i M i Nonce i M i Real E K oracle $ M i + τ A E K ( Nonce i, M i ) Adv priv (A) = Pr[A Real = 1] Pr[A Rand = 1] Slide 16

Authenticity: Authenticty of Ciphertexts [Bellare, Rogaway] [Katz, Yung] this paper A Nonce i M i Real E K oracle E K ( Nonce i, M i ) Nonce C A forges if she outputs forgery attempt Nonce C s.t. C is valid (it decrypts to a message, not to invalid) there was no E K query Nonce M i that returned C Adv auth (A) = Pr[A forges] Slide 17

Block-Cipher Security PRP and Strong PRP [Goldreich, Goldwasser, Micali] [Luby, Rackoff] [Bellare, Kilian, Rogaway] Rand perm oracle x i x i Real E K oracle π (x i ) B E K (x i ) Adv prp (B) = Pr[B E K = 1] Pr[B π = 1] Adv sprp (B)= Pr[B E K EK -1 = 1] Pr[B ππ 1 = 1] Slide 18

OCB Theorems Privacy theorem: Suppose an adversary A that breaks OCB-E with: time = t total-num-of-blocks = σ adv = Adv priv (A) Then an adversary B that breaks block cipher E with: time t num-of-queries σ Adv prp (B) Adv priv (A) 1.5 σ 2 / 2 n Authenticity theorem: Suppose an adversary A that breaks OCB-E with: time = t total-num-of-blocks = σ adv = Adv auth (A) Then an adversary B that breaks block cipher E with: time t num-of-queries σ Adv sprp (B) Adv priv (A) 1.5 σ 2 / 2 n Slide 19

What Provable Security Does, and Doesn t, Buy You + Strong evidence that scheme does what was intended + Best assurance cryptographers know how to deliver + Quantitative usage guidance - An absolute guarantee - Protection from issues not captured by our abstractions - Protection from usage errors - Protection from implementation errors Slide 20

Domain Ciphertext IV rqmt Calls / msg Calls / keysetup Key length (#E-keys) / blk overhead E circuit depth IAPM (lazy mod p) [Jutla 00,01] ({0,1} n ) + Μ + τ nonce (Jutla s presentation gave rand version) M /n + 2 0 2k (2) 1 xor 2 add 1 addp 2 XECB-XOR [GD 01] {0,1}* M / n + n ctr M /n +1 0 k+2n (1) 1 xor 3 add 1 OCB [R+ 00,01] {0,1}* M + τ nonce M /n + 2 1 k (1) 4 xor 3 Parallelizable Authenticated-Encryption Schemes Slide 21

For More Information OCB web page www.cs.ucdavis.edu/~rogaway Contains FAQ, papers, reference code, licensing info... Feel free to call or send email Upcoming talks: MIT (Oct 26), ACM CCS (Nov 5-8), Stanford (TBA) Or grab me now! Anything Else?? Slide 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback