Results 11  20
of
60
Robust authenticatedencryption: AEZ and the problem that it solves
, 2014
"... Abstract. With a scheme for robust authenticatedencryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and inve ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
Abstract. With a scheme for robust authenticatedencryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and investigate this idea, and construct a welloptimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCBAES or CTRAES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call accelerated provable security: the scheme is designed and proven secure in the provablesecurity tradition, but, to improve speed, one instantiates by scaling down most instances of the underlying primitive. Keywords:AEZ, arbitraryinput blockciphers, authenticated encryption, robust AE, misuse resistance,
New Blockcipher Modes of Operation with Beyond The Birthday . . .
, 2006
"... In this paper, we define and analyze a new blockcipher mode of operation for encryption, CENC, which stands for Cipherbased ENCryption. CENC has the following advantages: (1) beyond the birthday bound security, (2) security proofs with the standard PRP assumption, (3) highly e#cient, (4) single ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
In this paper, we define and analyze a new blockcipher mode of operation for encryption, CENC, which stands for Cipherbased ENCryption. CENC has the following advantages: (1) beyond the birthday bound security, (2) security proofs with the standard PRP assumption, (3) highly e#cient, (4) single blockcipher key, (5) fully parallelizable, (6) allows precomputation of keystream, and (7) allows random access. CENC is based on the new construction of "from PRPs to PRF conversion, " which is of independent interest. Based on CENC and a universal hashbased MAC (WegmanCarter MAC), we also define a new authenticatedencryption with associateddata scheme, CHM, which stands for CENC with Hashbased MAC. The security of CHM is also beyond the birthday bound.
Security of Symmetric Encryption against Mass Surveillance
"... Abstract. Motivated by revelations concerning populationwide surveillance of encrypted communications, we formalize and investigate the resistance of symmetric encryption schemes to mass surveillance. The focus is on algorithmsubstitution attacks (ASAs), where a subverted encryption algorithm repl ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Motivated by revelations concerning populationwide surveillance of encrypted communications, we formalize and investigate the resistance of symmetric encryption schemes to mass surveillance. The focus is on algorithmsubstitution attacks (ASAs), where a subverted encryption algorithm replaces the real one. We assume that the goal of “big brother ” is undetectable subversion, meaning that ciphertexts produced by the subverted encryption algorithm should reveal plaintexts to big brother yet be indistinguishable to users from those produced by the real encryption scheme. We formalize security notions to capture this goal and then offer both attacks and defenses. In the first category we show that successful (from the point of view of big brother) ASAs may be mounted on a large class of common symmetric encryption schemes. In the second category we show how to design symmetric encryption schemes that avoid such attacks and meet our notion of security. The lesson that emerges is the danger of choice: randomized, stateless schemes are subject to attack while deterministic, stateful ones are not.
Concealment and its applications to authenticated encryption
 In EUROCRYPT 2003
, 2003
"... Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, b ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened ” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make b  ≪ m, which we call a “nontrivial ” concealment. We show that nontrivial concealments are equivalent to the existence of collisionresistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public or symmetrickey) designed
Versatile padding schemes for joint signature and encryption
 In Proceedings of Eleventh ACM Conference on Computer and Communication Security (CCS2004
, 2004
"... We propose several highlypractical and optimized constructions for joint signature and encryption primitives often referred to as signcryption. All our signcryption schemes, built directly from trapdoor permutations such as RSA, share features such as simplicity, efficiency, generality, nearoptima ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
We propose several highlypractical and optimized constructions for joint signature and encryption primitives often referred to as signcryption. All our signcryption schemes, built directly from trapdoor permutations such as RSA, share features such as simplicity, efficiency, generality, nearoptimal exact security, flexible and adhoc key management, key reuse for sending/receiving data, optimallylow message expansion, “backward ” use for plain signature/encryption, long message and associated data support, the strongestknown qualitative security and, finally, complete compatibility with the PKCS#1 infrastructure. Similar to the design of plain RSAbased signature and encryption schemes, such as RSAFDH and RSAOAEP, our signcryption schemes are constructed by designing appropriate padding schemes suitable for use with trapdoor permutations. We build a general and flexible framework for the design and analysis of secure Feistelbased padding schemes, as well as three composition paradigms for using such paddings to build optimized signcryption schemes. To unify many secure padding options offered as special cases of our framework, we construct a single versatile padding scheme PSEP which, by simply adjusting the parameters, can work optimally with any of the three composition paradigms for either signature, encryption, or signcryption. We illustrate the utility of our signcryption schemes by applying them to build a secure keyexchange protocol, with performance results showing 3x–5x speedup compared to standard protocols.
PseudoRandom Functions and Parallelizable Modes of Operations of a Block Cipher
"... Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis o ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a “small ” domain to build a PRF with a “large ” domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called iPMAC, is based on a block cipher and improves upon the wellknown PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called VPMAC, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. VPMAC improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication
Accelerating AES with Vector Permute Instructions
 In Clavier and Gaj [8
"... Abstract. We demonstrate new techniques to speed up the Rijndael (AES) block cipher using vector permute instructions. Because these techniques avoid data and keydependent branches and memory references, they are immune to known timing attacks. This is the first constanttime software implementat ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We demonstrate new techniques to speed up the Rijndael (AES) block cipher using vector permute instructions. Because these techniques avoid data and keydependent branches and memory references, they are immune to known timing attacks. This is the first constanttime software implementation of AES which is efficient for sequential modes of operation. This work can be adapted to several other primitives using the AES Sbox such as the stream cipher LEX, the block cipher Camellia and the hash function Fugue. We focus on Intel’s SSSE3 and Motorola’s Altivec, but our techniques can be adapted to other systems with vector permute instructions, such as the IBM Xenon and Cell processors, the ARM Cortex series and the forthcoming AMD “Bulldozer ” core.
Online authenticatedencryption and its noncereuse misuseresistance
 CRYPTO 2015, part I, LNCS. 9215, Springer
, 2015
"... Abstract. A definition of online authenticatedencryption (OAE), call it OAE1, was given by Fleischmann, Forler, and Lucks (2012). It has become a popular definitional target because, despite allowing encryption to be online, security is supposed to be maintained even if nonces get reused. We argue ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. A definition of online authenticatedencryption (OAE), call it OAE1, was given by Fleischmann, Forler, and Lucks (2012). It has become a popular definitional target because, despite allowing encryption to be online, security is supposed to be maintained even if nonces get reused. We argue that this expectation is effectively wrong. OAE1 security has also been claimed to capture bestpossible security for any onlineAE scheme. We claim that this understanding is wrong, too. So motivated, we redefine OAEsecurity, providing a radically different formulation, OAE2. The new notion effectively does capture bestpossible security for a user’s choice of plaintext segmentation and ciphertext expansion. It is achievable by simple techniques from standard tools. Yet even for OAE2, noncereuse can still be devastating. The picture to emerge is that no OAE definition can meaningfully tolerate noncereuse, but, at the same time, OAE security ought never have been understood to turn on this question.
Webbased attacks on hostproof encrypted storage
 In Workshop on Offensive Technologies (WOOT
, 2012
"... Cloudbased storage services, such as Wuala, and password managers, such as LastPass, are examples of socalled hostproof web applications that aim to protect users from attacks on the servers that host their data. To this end, user data is encrypted on the client and the server is used only as a ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
(Show Context)
Cloudbased storage services, such as Wuala, and password managers, such as LastPass, are examples of socalled hostproof web applications that aim to protect users from attacks on the servers that host their data. To this end, user data is encrypted on the client and the server is used only as a backup data store. Authorized users may access their data through clientside software, but for ease of use, many commercial applications also offer browserbased interfaces that enable features such as remote access, formfilling, and secure sharing. We describe a series of webbased attacks on popular hostproof applications that completely circumvent their cryptographic protections. Our attacks exploit standard web application vulnerabilities to expose flaws in
The GamePlaying Technique
, 2004
"... In the gameplaying technique, one writes a pseudocode game such that an adversary's advantage in attacking some cryptographic construction is bounded above by the probability that the game sets a flag bad. This probability is then upper bounded by making stepwise, syntactical refinements to th ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
In the gameplaying technique, one writes a pseudocode game such that an adversary's advantage in attacking some cryptographic construction is bounded above by the probability that the game sets a flag bad. This probability is then upper bounded by making stepwise, syntactical refinements to the pseudocode  a chain of games. The approach was first used by Kilian and Rogaway (1996) and has been used repeatedly since, but it has never received a systematic treatment. In this paper we provide one. We develop the foundations...