Abstract. We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is currently the only such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the only appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the only such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.

Let E be a public-key encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingly, even strong notions of security such as chosen-ciphertext security appear to be insufficient for proving security in these settings. Since encryption cycles come up naturally in several applications, it is desirable to construct systems that remain secure in the presence of such cycles. Until now, all known constructions have only be proved secure in the random oracle model. We construct an encryption system that is circular-secure under the Decision Diffie-Hellman assumption, without relying on random oracles. Our proof of security holds even if the adversary obtains an encryption clique, that is, encryptions of ski under pk j for all 0 ≤ i, j ≤ n. We also construct a circular counterexample: a one-way secure encryption scheme that becomes completely insecure if an encryption cycle of length 2 is published. 1

The Secure Shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol or to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

A popular paradigm for achieving privacy plus authenticity is to append some “redundancy” to the data before encrypting. We investigate the security of this paradigm at both a general and a specific level. We consider various possible notions of privacy for the base encryption scheme, and for each such notion we provide a condition on the redundancy function that is necessary and sufficient to ensure authenticity of the encryption-with-redundancy scheme. We then consider the case where the base encryption scheme is a variant of CBC called NCBC, and find sufficient conditions on the redundancy functions for NCBC encryption-with-redundancy to provide authenticity. Our results highlight an important distinction between public redundancy functions, meaning those that the adversary can compute, and secret ones, meaning those that depend on the shared key between the legitimate parties.

Abstract not found

We propose a block-cipher mode of operation, EAX, for authenticated-encryption with associated data (AEAD). Given a nonce N , a message M , and a header H, the mode protects the privacy of M and the authenticity of both M and H. Strings N; M;H 2 f0; 1g are arbitrary, and the mode uses 2dM=ne + dH=ne + dN=ne block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX's characteristics are that it is on-line (the length of a message isn't needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by instantiating a simple generic composition method, EAX2, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. EAX is an alternative to CCM [19], and is likewise patent-free.

We intend to narrow the gap between concrete implementations of cryptographic protocols and their verified models. We develop and verify a small functional implementation of the Transport Layer Security protocol (TLS 1.0). We make use of the same executable code for interoperability testing against mainstream implementations, for automated symbolic cryptographic verification, and for automated computational cryptographic verification. We rely on a combination of recent tools, and we also develop a new tool for extracting computational models from executable code. We obtain strong security guarantees for TLS as used in typical deployments.

The Domain Name System (DNS) is a distributed database that allows convenient storing and retrieving of resource records. DNS has been extended to provide security services (DNSSEC) mainly through public-key cryptography. We propose a new approach to DNSSEC that may result in a signicantly more ecient protocol. We introduce a new strategy to build chains of trust from root servers to authoritative servers. The techniques we employ are based on symmetric-key cryptography. Keywords Domain Name System Security (DNSSEC), Authentication Protocols, Digital Signatures, Symmetric Encryption 1.

We present new methods to provide block-level integrity in encrypted storage systems, i.e., so that a client will detect the modification of data blocks by an untrusted storage server. We present cryptographic definitions for this setting, and develop solutions that change neither the block size nor the number of sectors accessed, an important consideration for modern storage systems. In order to achieve this, a trusted client component maintains state with which it can authenticate blocks returned by the storage server, and we explore techniques for minimizing the size of this state. We demonstrate a scheme that provably implements basic block integrity (informally, that any block accepted was previously written), that exhibits a tradeoff between the level of security and the additional client's storage overhead, and that in empirical evaluations requires an average of only 0.01 bytes per 1024-byte block. We extend this to a scheme that implements integrity resistant to replay attacks (informally, that any block accepted was the last block written to that address) using only 1.82 bytes per block, on average, in our one-month long empirical tests.

Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened ” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make |b | ≪ |m|, which we call a “non-trivial ” concealment. We show that non-trivial concealments are equivalent to the existence of collision-resistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public- or symmetric-key) designed