Results 1  10
of
26
Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
, 2000
"... and analysis of the generic composition paradigm ..."
Abstract

Cited by 222 (22 self)
 Add to MetaCart
and analysis of the generic composition paradigm
Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC
, 2003
"... We describe highly efficient constructions, XE and XEX, that turn a blockcipher E: K × {0, 1}^n → {0, 1}^n into a tweakable blockcipher... ..."
Abstract

Cited by 40 (2 self)
 Add to MetaCart
We describe highly efficient constructions, XE and XEX, that turn a blockcipher E: K × {0, 1}^n → {0, 1}^n into a tweakable blockcipher...
A provablesecurity treatment of the keywrap problem
 EUROCRYPT 2006, LNCS 4004
, 2006
"... Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a ..."
Abstract

Cited by 25 (4 self)
 Add to MetaCart
Abstract. We give a provablesecurity treatment for the keywrap problem, providing definitions, constructions, and proofs. We suggest that keywrap’s goal is security in the sense of deterministic authenticatedencryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipherbased instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IVbased authenticatedencryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuseresistant AE. We show that a DAE scheme with a vectorvalued header, such as SIV, directly realizes this goal. 1
A general construction of tweakable block ciphers and different modes of operations
 In Helger Lipmaa, Moti Yung, and Dongdai Lin, editors, Inscrypt, volume 4318 of Lecture Notes in Computer Science
, 2006
"... Abstract. This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway’s TBC construction by working over a ring R and by the use of a masking sequence of functions. The ring R can be instantiat ..."
Abstract

Cited by 11 (6 self)
 Add to MetaCart
Abstract. This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway’s TBC construction by working over a ring R and by the use of a masking sequence of functions. The ring R can be instantiated as either GF (2 n) or as Z2 n. Further, over GF (2n), efficient instantiations of the masking sequence of functions can be done using either a binary Linear Feedback Shift Register (LFSR); a powering construction; a cellular automata map; or by using a word oriented LFSR. Rogaway’s TBC construction was built from the powering construction over GF (2 n). Our second contribution is to use the general TBC construction to instantiate constructions of various modes of operations including authenticated encryption (AE) and message authentication code (MAC). In particular, this gives rise to a family of efficient onepass AE mode of operation. Out of these, the mode of operation obtained by the use of word oriented LFSR promises to provide a masking method which is more efficient than the one used in the well known AE protocol called OCB. 3 Keywords: tweakable block cipher, modes of operations, AE, MAC, AEAD. 1
Concealment and its applications to authenticated encryption
 In EUROCRYPT 2003
, 2003
"... Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, b ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened ” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make b  ≪ m, which we call a “nontrivial ” concealment. We show that nontrivial concealments are equivalent to the existence of collisionresistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public or symmetrickey) designed
The Software Performance of AuthenticatedEncryption Modes
, 2011
"... We study the software performance of authenticatedencryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (“Clarkdale”) processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 c ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We study the software performance of authenticatedencryption modes CCM, GCM, and OCB. Across a variety of platforms, we find OCB to be substantially faster than either alternative. For example, on an Intel i5 (“Clarkdale”) processor, good implementations of CCM, GCM, and OCB encrypt at around 4.2 cpb, 3.7 cpb, and 1.5 cpb, while CTR mode requires about 1.3 cpb. Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counterbased nonce) and reduce latency. Our findings contrast with those of McGrew and Viega (2004), who claimed similar performance for GCM and OCB. Key words: authenticated encryption, cryptographic standards, encryption speed, modes of
PseudoRandom Functions and Parallelizable Modes of Operations of a Block Cipher
"... Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis o ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. This paper considers the construction and analysis of pseudorandom functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a “small ” domain to build a PRF with a “large ” domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called iPMAC, is based on a block cipher and improves upon the wellknown PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called VPMAC, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. VPMAC improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication
The GamePlaying Technique
, 2004
"... In the gameplaying technique, one writes a pseudocode game such that an adversary's advantage in attacking some cryptographic construction is bounded above by the probability that the game sets a flag bad. This probability is then upper bounded by making stepwise, syntactical refinements to the pse ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
In the gameplaying technique, one writes a pseudocode game such that an adversary's advantage in attacking some cryptographic construction is bounded above by the probability that the game sets a flag bad. This probability is then upper bounded by making stepwise, syntactical refinements to the pseudocode  a chain of games. The approach was first used by Kilian and Rogaway (1996) and has been used repeatedly since, but it has never received a systematic treatment. In this paper we provide one. We develop the foundations...
A Simple and Generic Construction of Authenticated Encryption With Associated Data
"... Abstract. We revisit the problem of constructing a protocol for performing authenticated encryption with associated data (AEAD). A technique is described which combines a collision resistant hash function with a protocol for authenticated encryption (AE). The technique is both simple and generic and ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. We revisit the problem of constructing a protocol for performing authenticated encryption with associated data (AEAD). A technique is described which combines a collision resistant hash function with a protocol for authenticated encryption (AE). The technique is both simple and generic and does not require any additional key material beyond that of the AE protocol. Concrete instantiations are shown where a 256bit hash function is combined with some known singlepass AE protocols employing either 128bit or 256bit block ciphers. This results in possible efficiency improvement in the processing of the header.
Duplexing the sponge: Singlepass authenticated encryption and other applications
 In SAC 2011 (2011
"... Abstract. This paper proposes a novel construction, called duplex, closely related to the sponge construction, that accepts message blocks to be hashed and—at no extra cost—provides digests on the input blocks received so far. It can be proven equivalent to a cascade of sponge functions and hence in ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. This paper proposes a novel construction, called duplex, closely related to the sponge construction, that accepts message blocks to be hashed and—at no extra cost—provides digests on the input blocks received so far. It can be proven equivalent to a cascade of sponge functions and hence inherits its security against singlestage generic a�acks. The main application proposed here is an authenticated encryption mode based on the duplex construction. This mode is efficient, namely, enciphering and authenticating together require only a single call to the underlying permutation per block, and is readily usable in, e.g., key wrapping. Furthermore, it is the first mode of this kind to be directly based on a permutation instead of a block cipher and to natively support intermediate tags. The duplex construction can be used to efficiently realize other modes, such as a reseedable pseudorandom bit sequence generators and a sponge variant that overwrites part of the state with the input block rather than to XOR it in.