Results 1  10
of
11
The Software Performance of AuthenticatedEncryption Modes
, 2011
"... We study the software performance of authenticatedencryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (“Clarkdale”) processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 c ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We study the software performance of authenticatedencryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (“Clarkdale”) processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about 1.3 cpb. Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counterbased nonce) and reduce latency. Our findings contrast with those of McGrew and Viega (2004), who claimed similar performance for GCM and OCB. Key words: authenticated encryption, cryptographic standards, encryption speed, modes of
PseudoRandom Functions and Parallelizable Modes of Operations of a Block Cipher
"... Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis o ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a “small ” domain to build a PRF with a “large ” domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called iPMAC, is based on a block cipher and improves upon the wellknown PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called VPMAC, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. VPMAC improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication
A Simple and Generic Construction of Authenticated Encryption With Associated Data
"... Abstract. We revisit the problem of constructing a protocol for performing authenticated encryption with associated data (AEAD). A technique is described which combines a collision resistant hash function with a protocol for authenticated encryption (AE). The technique is both simple and generic and ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. We revisit the problem of constructing a protocol for performing authenticated encryption with associated data (AEAD). A technique is described which combines a collision resistant hash function with a protocol for authenticated encryption (AE). The technique is both simple and generic and does not require any additional key material beyond that of the AE protocol. Concrete instantiations are shown where a 256bit hash function is combined with some known singlepass AE protocols employing either 128bit or 256bit block ciphers. This results in possible efficiency improvement in the processing of the header.
TWEAKABLE BLOCKCIPHERS SECURE AGAINST GENERIC EXPONENTIAL ATTACKS
, 2007
"... ii To my best friend and my parents. iii Table of Contents Acknowledgments vi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
ii To my best friend and my parents. iii Table of Contents Acknowledgments vi
Towards SideChannel Resistant Block Cipher Usage or Can We Encrypt Without SideChannel Countermeasures?
"... Abstract. Based on rekeying techniques by Abdalla, Bellare, and Borst [1, 2], we consider two blackbox secure block cipher based symmetric encryption schemes, which we prove secure in the physically observable cryptography model. They are proven sidechannel secure against a strong type of adversa ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Based on rekeying techniques by Abdalla, Bellare, and Borst [1, 2], we consider two blackbox secure block cipher based symmetric encryption schemes, which we prove secure in the physically observable cryptography model. They are proven sidechannel secure against a strong type of adversary that can adaptively choose the leakage function as long as the leaked information is bounded. It turns out that our simple construction is sidechannel secure against all types of attacks that satisfy some reasonable assumptions. In particular, the security turns out to be negligible in the block cipher’s block size n, for all attacks. We also show that our ideas result in an interesting alternative to the implementation of block ciphers using different logic styles or masking countermeasures. 1
Tweakable Enciphering Schemes From Stream Ciphers With IV
"... Abstract. We present the first construction of a tweakable enciphering scheme from a stream cipher supporting an initialization vector. This construction can take advantage of the recent advances in hardware efficient stream ciphers to yield disk encryption systems with a very small hardware footpri ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We present the first construction of a tweakable enciphering scheme from a stream cipher supporting an initialization vector. This construction can take advantage of the recent advances in hardware efficient stream ciphers to yield disk encryption systems with a very small hardware footprint. Such systems will be attractive for resource constrained devices.
Tweakable Blockciphers, Revisited
, 2009
"... Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [17], are blockciphers with an additional input, the tweak, which provides an easy mechanism for obtaining multiple “essentially different ” permutations from a single key. Liskov et al. advocate an altered methodology for symmet ..."
Abstract
 Add to MetaCart
Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner [17], are blockciphers with an additional input, the tweak, which provides an easy mechanism for obtaining multiple “essentially different ” permutations from a single key. Liskov et al. advocate an altered methodology for symmetric cryptography: instead of designing modes of operation using blockciphers directly, first design tweakable blockciphers, and then build modes of operation. Though this method has conceptual advantages, it can introduce an extra layer of analysis in which proof tightness can be lost. We consider the notion of securitypreserving midlevel constructions, by which we mean constructions that do not introduce any loss of security. We give tweakable blockciphers that meet this goal in a limited sense (they are securitypreserving for certain applications), and show that they can help us create tighter overall proofs of security. We also show the novelty of these constructions by demonstrating that all previously proposed generic tweakable blockciphers are not security preserving even in this limited sense. 1
DOI: 10.1007/s001450109073y Tweakable Block
, 2005
"... Abstract. A common trend in applications of block ciphers over the past decades has been to employ block ciphers as one piece of a “mode of operation”—possibly, a way to make a secure symmetrickey cryptosystem, but more generally, any cryptographic application. Most of the time, these modes of oper ..."
Abstract
 Add to MetaCart
Abstract. A common trend in applications of block ciphers over the past decades has been to employ block ciphers as one piece of a “mode of operation”—possibly, a way to make a secure symmetrickey cryptosystem, but more generally, any cryptographic application. Most of the time, these modes of operation use a wide variety of techniques to achieve a subgoal necessary for their main goal: instantiation of “essentially different ” instances of the block cipher. We formalize a cryptographic primitive, the “tweakable block cipher. ” Such a cipher has not only the usual inputs—message and cryptographic key—but also a third input, the “tweak. ” The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our abstraction brings this feature down to the primitive blockcipher level, instead of incorporating it only at the higher modesofoperation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher “tweakable ” is small, and (3) it is easier to design and prove the security of applications of block ciphers that need this variability using tweakable block ciphers.
Construction of a Hybrid (Hierarchical) IdentityBased Encryption Protocol Secure Against Adaptive Attacks
"... Abstract. The current work considers the problem of obtaining a hierarchical identitybased encryption (HIBE) protocol which is secure against adaptive key extraction and decryption queries. Such a protocol is obtained by modifying an earlier protocol by Chatterjee and Sarkar (which, in turn, is bas ..."
Abstract
 Add to MetaCart
Abstract. The current work considers the problem of obtaining a hierarchical identitybased encryption (HIBE) protocol which is secure against adaptive key extraction and decryption queries. Such a protocol is obtained by modifying an earlier protocol by Chatterjee and Sarkar (which, in turn, is based on a protocol due to Waters) which is secure only against adaptive key extraction queries. The setting is quite general in the sense that random oracles are not used and security is based on the hardness of the decisional bilinear DiffieHellman (DBDH) problem. In this setting, the new construction provides the most efficient (H)IBE protocol known till date. The technique for answering decryption queries in the proof is based on earlier work by Boyen, Mei and Waters. Ciphertext validity testing is done indirectly through a symmetric authentication algorithm in a manner similar to the KurosawaDesmedt public key encryption protocol. Additionally, we perform symmetric encryption and authentication by a single authenticated encryption algorithm 3.
On Authenticated Encryption Using Stream Ciphers Supporting an Initialisation Vector
"... Abstract. We describe a systematic framework for using a stream cipher supporting an initialisation vector (IV) to perform various tasks of authentication and authenticated encryption. These include message authentication code (MAC), authenticated encryption (AE), authenticated encryption with assoc ..."
Abstract
 Add to MetaCart
Abstract. We describe a systematic framework for using a stream cipher supporting an initialisation vector (IV) to perform various tasks of authentication and authenticated encryption. These include message authentication code (MAC), authenticated encryption (AE), authenticated encryption with associated data (AEAD) and deterministic authenticated encryption (DAE) with associated data. Several schemes are presented and rigourously analysed. A major component of the constructions is a keyed hash function having provably low collision and differential probabilities. Methods are described to efficiently extend such hash functions to take double inputs and more generally multiple inputs. In particular, doubleinput hash functions are required for the construction of AEAD schemes. An important practical aspect of our work is that a designer can combine offtheshelf stream ciphers with offtheshelf hash functions to obtain secure primitives for MAC, AE, AEAD and DAE(AD).