Results 1 - 10
of
71
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract
-
Cited by 284 (23 self)
- Add to MetaCart
(Show Context)
and analysis of the generic composition paradigm
Faster and Timing-Attack Resistant AES-GCM. IACR Cryptology ePrint Archive, report 2009/129
, 2009
"... Abstract. We present a bitsliced implementation of AES encryption in counter mode for 64-bit Intel processors. Running at 7.81 cycles/byte on a Core 2, it is up to 25 % faster than previous implementations, while simultaneously offering protection against timing attacks. In particular, it is the onl ..."
Abstract
-
Cited by 49 (3 self)
- Add to MetaCart
(Show Context)
Abstract. We present a bitsliced implementation of AES encryption in counter mode for 64-bit Intel processors. Running at 7.81 cycles/byte on a Core 2, it is up to 25 % faster than previous implementations, while simultaneously offering protection against timing attacks. In particular, it is the only cache-timing-attack resistant implementation offering competitive speeds for stream as well as for packet encryption: for 576-byte packets, we improve performance over previous bitsliced implementations by more than a factor of 2. We also report more than 30 % improved speeds for lookup-table based Galois/Counter mode authentication, achieving 11.51 cycles/byte for authenticated encryption. Furthermore, we present the first constant-time implementation of AES-GCM that has a reasonable speed of 22.19 cycles/byte, thus offering a full suite of timing-analysis resistant software for authenticated encryption. Keywords: AES, Galois/Counter mode, cache-timing attacks, fast implementations 1
The Software Performance of Authenticated-Encryption Modes
, 2011
"... We study the software performance of authenticated-encryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (“Clarkdale”) processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 c ..."
Abstract
-
Cited by 35 (6 self)
- Add to MetaCart
(Show Context)
We study the software performance of authenticated-encryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (“Clarkdale”) processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about 1.3 cpb. Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counter-based nonce) and reduce latency. Our findings contrast with those of McGrew and Viega (2004), who claimed similar performance for GCM and OCB. Key words: authenticated encryption, cryptographic standards, encryption speed, modes of
HCTR: A variable-input-length enciphering mode
- In Information Security and Cryptology
, 2005
"... Abstract. This paper proposes a blockcipher mode of operation, HCTR, which is a length-preserving encryption mode. HCTR turns an n-bit blockcipher into a tweakable blockcipher that supports arbitrary variable input length which is no less than n bits. The tweak length of HCTR is fixed and can be zer ..."
Abstract
-
Cited by 32 (0 self)
- Add to MetaCart
Abstract. This paper proposes a blockcipher mode of operation, HCTR, which is a length-preserving encryption mode. HCTR turns an n-bit blockcipher into a tweakable blockcipher that supports arbitrary variable input length which is no less than n bits. The tweak length of HCTR is fixed and can be zero. We prove that HCTR is a strong tweak-able pseudorandom permutation (sprp), when the underlying blockcipher is a strong pseudorandom permutation (sprp). HCTR is shown to be a very efficient mode of operation when some pre-computations are taken into consideration. Arbitrary variable input length brings much flexibility in various application environments. HCTR can be used in disk sector encryption, and other length-preserving encryptions, especially for the message that is not multiple of n bits.
Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication
- Federal Information Processing Standard Publication FIPS
"... This Recommendation specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of operation for a symmetric key block cipher. KEY WORDS: authentication; block cipher; cryptography; information security; integrity; ..."
Abstract
-
Cited by 26 (0 self)
- Add to MetaCart
(Show Context)
This Recommendation specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of operation for a symmetric key block cipher. KEY WORDS: authentication; block cipher; cryptography; information security; integrity;
NEON crypto
"... Abstract. NEON is a vector instruction set included in a large fraction of new ARM-based tablets and smartphones. This paper shows that NEON supports high-security cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptogr ..."
Abstract
-
Cited by 21 (8 self)
- Add to MetaCart
(Show Context)
Abstract. NEON is a vector instruction set included in a large fraction of new ARM-based tablets and smartphones. This paper shows that NEON supports high-security cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptography. In particular, this paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of high-security cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles per byte (2.78 Gbps) to authenticate using a shared secret key, 527102 cycles (1517/second) to compute a shared secret key for a new public key, 650102 cycles (1230/second) to verify a signature, and 368212 cycles (2172/second) to sign a message. These speeds make no use of secret branches and no use of secret memory addresses.
Privacy-Preserving Location Tracking of Lost or Stolen Devices: Cryptographic Techniques and Replacing Trusted Third Parties with DHTs
"... We tackle the problem of building privacy-preserving device-tracking systems — or private methods to assist in the recovery of lost or stolen Internet-connected mobile devices. The main goals of such systems are seemingly contradictory: to hide the device’s legitimately-visited locations from third- ..."
Abstract
-
Cited by 20 (3 self)
- Add to MetaCart
(Show Context)
We tackle the problem of building privacy-preserving device-tracking systems — or private methods to assist in the recovery of lost or stolen Internet-connected mobile devices. The main goals of such systems are seemingly contradictory: to hide the device’s legitimately-visited locations from third-party services and other parties (location privacy) while simultaneously using those same services to help recover the device’s location(s) after it goes missing (device-tracking). We propose a system, named Adeona, that nevertheless meets both goals. It provides strong guarantees of location privacy while preserving the ability to efficiently track missing devices. We build a version of Adeona that uses OpenDHT as the third party service, resulting in an immediately deployable system that does not rely on any single trusted third party. We describe numerous extensions for the basic design that increase Adeona’s suitability for particular deployment environments. 1
Key-Recovery Attacks on Universal Hash Function based MAC Algorithms
"... This paper discusses key recovery and universal forgery attacks on several MAC algorithms based on universal hash functions. The attacks use a substantial number of verification queries but eventually allow for universal forgeries instead of existential or multiple forgeries. This means that the se ..."
Abstract
-
Cited by 20 (0 self)
- Add to MetaCart
This paper discusses key recovery and universal forgery attacks on several MAC algorithms based on universal hash functions. The attacks use a substantial number of verification queries but eventually allow for universal forgeries instead of existential or multiple forgeries. This means that the security of the algorithms completely collapses once a few forgeries are found. Some of these attacks start off by exploiting a weak key property, but turn out to become full-fledged divide and conquer attacks because of the specific structure of the universal hash functions considered. Partial information on a secret key can be exploited too, in the sense that it renders some key recovery attacks practical as soon as a few key bits are known. These results show that while universal hash functions offer provable security, high speeds and parallelism, their simple combinatorial properties make them less robust than conventional message authentication primitives.
When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography
- NDSS '10 (NETWORK AND DISTRIBUTED SECURITY SYMPOSIUM)
, 2010
"... Random number generators (RNGs) are consistently a weak link in the secure use of cryptography. Routine cryptographic operations such as encryption and signing can fail spectacularly given predictable or repeated randomness, even when using good long-lived key material. This has proved problematic i ..."
Abstract
-
Cited by 20 (5 self)
- Add to MetaCart
Random number generators (RNGs) are consistently a weak link in the secure use of cryptography. Routine cryptographic operations such as encryption and signing can fail spectacularly given predictable or repeated randomness, even when using good long-lived key material. This has proved problematic in prior settings when RNG implementation bugs, poor design, or low-entropy sources have resulted in predictable randomness. We investigate a new way in which RNGs fail due to reuse of virtual machine (VM) snapshots. We exhibit such VM reset vulnerabilities in widely-used TLS clients and servers: the attacker takes advantage of (or forces) snapshot replay to compromise sessions or even expose a serverâs DSA signing key. Our next contribution is a backwards-compatible framework for hedging routine cryptographic operations against bad randomness, thereby mitigating the damage due to randomness failures. We apply our framework to the OpenSSL library and experimentally confirm that it has little overhead.
McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes
, 2012
"... On-Line Authenticated Encryption (OAE) combines privacy with data integrity and is on-line computable. Most block cipher-based schemes for Authenticated Encryption can be run on-line and are provably secure against nonce-respecting adversaries. But they fail badly for more general adversaries. Thi ..."
Abstract
-
Cited by 19 (2 self)
- Add to MetaCart
(Show Context)
On-Line Authenticated Encryption (OAE) combines privacy with data integrity and is on-line computable. Most block cipher-based schemes for Authenticated Encryption can be run on-line and are provably secure against nonce-respecting adversaries. But they fail badly for more general adversaries. This is not a theoretical observation only – in practice, the reuse of nonces is a frequent issue. In recent years, cryptographers developed misuse resistant schemes for Authenticated Encryption. These guarantee excellent security even against general adversaries which are allowed to reuse nonces. Their disadvantage is that encryption can be performed in an off-line way, only. This paper introduces a nw family of OAE schemes –called McOE – dealing both with nonce-respecting and with general adversaries. Furthermore, we present three family members, i.e., McOE-X, McOE-D, and McOE-G. All of these members are based on a ’simple ’ block cipher. In contrast to all other OAE schemes known so far, they provably guarantee reasonable security against general adversaries as well as standard security against nonce-respecting adversaries.