Results 1  10
of
19
K.: Parallelizable and authenticated online ciphers
 ASIACRYPT (1). Lecture Notes in Computer Science
, 2013
"... Abstract. Online ciphers encrypt an arbitrary number of plaintext blocks and output ciphertext blocks which only depend on the preceding plaintext blocks. All online ciphers proposed so far are essentially serial, which significantly limits their performance on parallel architectures such as modern ..."
Abstract

Cited by 23 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Online ciphers encrypt an arbitrary number of plaintext blocks and output ciphertext blocks which only depend on the preceding plaintext blocks. All online ciphers proposed so far are essentially serial, which significantly limits their performance on parallel architectures such as modern generalpurpose CPUs or dedicated hardware. We propose the first parallelizable online cipher, COPE. It performs two calls to the underlying block cipher per plaintext block and is fully parallelizable in both encryption and decryption. COPE is proven secure against chosenplaintext attacks assuming the underlying block cipher is a strong PRP. We then extend COPE to create COPA, the first parallelizable, online authenticated cipher with noncemisuse resistance. COPA only requires two extra block cipher calls to provide integrity. The privacy and integrity of the scheme is proven secure assuming the underlying block cipher is a strong PRP. Our implementation with Intel AESNI on a Sandy Bridge CPU architecture shows that both COPE and COPA are about 5 times faster than their closest competition: TC1, TC3, and McOEG. This high factor of advantage emphasizes the paramount role of parallelizability on uptodate computing platforms.
Robust authenticatedencryption: AEZ and the problem that it solves
, 2014
"... Abstract. With a scheme for robust authenticatedencryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and inve ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
Abstract. With a scheme for robust authenticatedencryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and investigate this idea, and construct a welloptimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCBAES or CTRAES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call accelerated provable security: the scheme is designed and proven secure in the provablesecurity tradition, but, to improve speed, one instantiates by scaling down most instances of the underlying primitive. Keywords:AEZ, arbitraryinput blockciphers, authenticated encryption, robust AE, misuse resistance,
Online authenticatedencryption and its noncereuse misuseresistance
 CRYPTO 2015, part I, LNCS. 9215, Springer
, 2015
"... Abstract. A definition of online authenticatedencryption (OAE), call it OAE1, was given by Fleischmann, Forler, and Lucks (2012). It has become a popular definitional target because, despite allowing encryption to be online, security is supposed to be maintained even if nonces get reused. We argue ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. A definition of online authenticatedencryption (OAE), call it OAE1, was given by Fleischmann, Forler, and Lucks (2012). It has become a popular definitional target because, despite allowing encryption to be online, security is supposed to be maintained even if nonces get reused. We argue that this expectation is effectively wrong. OAE1 security has also been claimed to capture bestpossible security for any onlineAE scheme. We claim that this understanding is wrong, too. So motivated, we redefine OAEsecurity, providing a radically different formulation, OAE2. The new notion effectively does capture bestpossible security for a user’s choice of plaintext segmentation and ciphertext expansion. It is achievable by simple techniques from standard tools. Yet even for OAE2, noncereuse can still be devastating. The picture to emerge is that no OAE definition can meaningfully tolerate noncereuse, but, at the same time, OAE security ought never have been understood to turn on this question.
Optimally Secure Tweakable Blockciphers
 Software Encryption  FSE 2015, volume 9054 of LNCS
, 2015
"... Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear pre and postprocessing functions can be distinguished from an ideal one with an attack complexity of about 2n/2. Next, we introduce the tweakable blockcipher F ̃ [1]. It consists of one multiplication and one blockcipher call with tweakdependent key, and achieves 22n/3 security. Finally, we introduce F ̃ [2], which makes two blockcipher calls, one of which with tweakdependent key, and achieves optimal 2n security. Both schemes are more efficient than all existing beyond birthday bound tweakable blockciphers known to date, as long as one blockcipher key renewal is cheaper than one blockcipher evaluation plus one universal hash evaluation.
Pipelineable OnLine Encryption
"... Abstract. Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been performed. In highspeed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCAsecu ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been performed. In highspeed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCAsecure online ciphers as a practical alternative to AE schemes since the former provide some defense against malicious message modifications. Unfortunately, all published online ciphers so far are either inherently sequential, or lack a CCAsecurity proof. This paper introduces POE, a family of online ciphers that combines provable security against chosenciphertext attacks with pipelineability to support efficient implementations. POE combines a block cipher and an ǫAXU family of hash functions. Different instantiations of POE are given, based on different universal hash functions and suitable for different platforms. Moreover, this paper introduces POET, a provably secure online AE scheme, which inherits pipelineability and chosenciphertextsecurity from POE and provides additional resistance against noncemisuse attacks.
On Modes of Operations of a Block Cipher for Authentication and Authenticated Encryption
"... Abstract. This work deals with the various requirements of encryption and authentication in cryptographic applications. The approach is to construct suitable modes of operations of a block cipher to achieve the relevant goals. A variety of schemes suitable for specific applications are presented. W ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This work deals with the various requirements of encryption and authentication in cryptographic applications. The approach is to construct suitable modes of operations of a block cipher to achieve the relevant goals. A variety of schemes suitable for specific applications are presented. While none of the schemes are built completely from scratch, there is a common unifying framework which connects them. All the schemes described have been implemented and the implementation details are publicly available. Performance figures are presented when the block cipher is the AES and the Intel AESNI instructions are used. These figures suggest that the constructions presented here compare well with previous works such as the famous OCB mode of operation. In terms of features, the constructions provide several new offerings which are not present in earlier works. This work significantly widens the range of choices of an actual designer of cryptographic system.
GCMSIV: Full Nonce MisuseResistant Auth enticated Encryption at Under One C/B
"... Abstract. Authenticated encryption schemes guarantee both privacy and integrity, and have become the default level of encryption in modern protocols. One of the most popular authenticated encryption schemes today is AESGCM due to its impressive speed. The current CAESAR competition is considering n ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. Authenticated encryption schemes guarantee both privacy and integrity, and have become the default level of encryption in modern protocols. One of the most popular authenticated encryption schemes today is AESGCM due to its impressive speed. The current CAESAR competition is considering new modes for authenticated encryption that will improve on existing methods. One property of importance that is being considered more today is due to the fact that the nonce or IV repeats, then this can have disastrous effects on security. A (full) nonce misuseresistant authenticated encryption scheme has the property that if the same nonce is used to encrypt the same message twice, then the same ciphertext is obtained and so the fact that the same message was encrypted is detected. Otherwise, full security is obtained – even if the same nonce is used for different messages. In this paper, we present a new fully nonce misuseresistant authenticated encryption scheme that is based on carefully combining the GCM building blocks into the SIV paradigm of Rogaway and Shrimpton. We provide a full proof of security of our scheme, and an optimized implementation using the AESNI and PCLMULQDQ instruction sets. We compare our performance to the highly optimized OpenSSL 1.0.2 implementation of GCM and show that our nonce misuseresistant scheme is only 14 % slower on Haswell architecture and 19 % slower on Broadwell architecture. On Broadwell, GCMSIV encryption takes only 0.92 cycles per byte, and GCMSIV decryption is exactly the same as GCM decryption taking only 0.77 cycles per byte. Beyond being very fast, our new mode of operation uses the same building blocks as GCM and so existing hardware and software can be utilized to easily deploy GCMSIV. We conclude that GCMSIV is a viable alternative to GCM, providing full nonce misuseresistance at little cost. 1
ELmE: A Misuse Resistant Parallel Authenticated Encryption
"... Abstract. The authenticated encryptions which resist misuse of initial value (or nonce) at some desired level of privacy are twopass or MacthenEncrypt constructions (inherently inefficient but provide full privacy) and online constructions, e.g., McOE, spongetype authenticated encryptions (such ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The authenticated encryptions which resist misuse of initial value (or nonce) at some desired level of privacy are twopass or MacthenEncrypt constructions (inherently inefficient but provide full privacy) and online constructions, e.g., McOE, spongetype authenticated encryptions (such as duplex, AEGIS) and COPA. Only the last one is almost parallelizable with some bottleneck in processing associated data. In this paper, we design a new online secure authenticated encryption, called ELmE or EncryptLinear mixEncrypt, which is completely (twostage) parallel (even in associated data) and pipeline implementable. It also provides full privacy when associated data (which includes initial value) is not repeated. The basic idea of our construction and COPA are based on EME, an EncryptMixEncrypt type SPRP constructions (secure against chosen plaintext and ciphertext). Unlike EME, we consider online computable efficient linear mixing. Our construction optionally supports intermediate tags, which can be verified faster with less buffer size to provide security against blockwise adversaries which is meaningful in lowend device implementation.
Breaking poet authentication with a single query
"... Abstract. In this short article, we describe a very practical and simple attack on the authentication part of POET authenticated encryption mode proposed at FSE 2014. POET is a provably secure scheme that was designed to resist various attacks where the adversary is allowed to repeat the nonce, or ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this short article, we describe a very practical and simple attack on the authentication part of POET authenticated encryption mode proposed at FSE 2014. POET is a provably secure scheme that was designed to resist various attacks where the adversary is allowed to repeat the nonce, or even when the message is output before verifying the validity of the tag when querying the decryption oracle. However, we demonstrate that using only a single encryption query and a negligible amount of computations, even without any special misuse from the attacker, it is possible to generate many valid ciphertext/tag pairs for POET. Our work shows that one should not use POET for any application where authentication property is required. Furthermore, we propose a possible patch to overcome this particular issue, yet without backing up this patch with a security proof. Key words: authenticated encryption, CAESAR, POE, POET, cryptanalysis, authenticity Authenticated encryption is a very useful cryptographic primitive that might benefit many security engineers and protocol designers, as it provides both privacy and authenticity when sending data. In particular, it avoids the classical threat of a misinterpretation of the privacyonly security provided by a simple encryption mode. The encryption part usually takes as input a message M, some public
Automated analysis and synthesis of authenticated encryption schemes
"... Authenticated encryption (AE) schemes are symmetrickey encryption schemes ensuring strong notions of confidentiality and integrity. Although various AE schemes are known, there remains significant interest in developing schemes that are more efficient, meet even stronger security notions (e.g., mi ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Authenticated encryption (AE) schemes are symmetrickey encryption schemes ensuring strong notions of confidentiality and integrity. Although various AE schemes are known, there remains significant interest in developing schemes that are more efficient, meet even stronger security notions (e.g., misuseresistance), or satisfy certain noncryptographic properties (e.g., being patentfree). We present an automated approach for analyzing and synthesizing blockcipherbased AE schemes, significantly extending prior work by Malozemoff et al. (CSF 2014) who synthesize encryption schemes satisfying confidentiality only. Our main insight is to restrict attention to a certain class of schemes that is expressive enough to capture several known constructions yet also admits automated reasoning about security. We use our approach to generate thousands of AE schemes with provable security guarantees, both known (e.g., variants of OCB and CCM) and new. Implementing two of these new schemes, we find their performance competitive with stateoftheart AE schemes. 1