Results 1 
6 of
6
Security of Symmetric Encryption against Mass Surveillance
"... Abstract. Motivated by revelations concerning populationwide surveillance of encrypted communications, we formalize and investigate the resistance of symmetric encryption schemes to mass surveillance. The focus is on algorithmsubstitution attacks (ASAs), where a subverted encryption algorithm repl ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. Motivated by revelations concerning populationwide surveillance of encrypted communications, we formalize and investigate the resistance of symmetric encryption schemes to mass surveillance. The focus is on algorithmsubstitution attacks (ASAs), where a subverted encryption algorithm replaces the real one. We assume that the goal of “big brother ” is undetectable subversion, meaning that ciphertexts produced by the subverted encryption algorithm should reveal plaintexts to big brother yet be indistinguishable to users from those produced by the real encryption scheme. We formalize security notions to capture this goal and then offer both attacks and defenses. In the first category we show that successful (from the point of view of big brother) ASAs may be mounted on a large class of common symmetric encryption schemes. In the second category we show how to design symmetric encryption schemes that avoid such attacks and meet our notion of security. The lesson that emerges is the danger of choice: randomized, stateless schemes are subject to attack while deterministic, stateful ones are not.
Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes
"... Abstract. The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide singlepass authenticated encryption. The GHASH authentication component of GCM belongs to a class of WegmanCarter polynomial hashes that operate in the field GF(2 128). We present message forgery attacks t ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide singlepass authenticated encryption. The GHASH authentication component of GCM belongs to a class of WegmanCarter polynomial hashes that operate in the field GF(2 128). We present message forgery attacks that are made possible by its extremely smoothorder multiplicative group which splits into 512 subgroups. GCM uses the same block cipher key K to both encrypt data and to derive the generator H of the authentication polynomial for GHASH. In present literature, only the trivial weak key H = 0 has been considered. We show that GHASH has much wider classes of weak keys in its 512 multiplicative subgroups, analyze some of their properties, and give experimental results on AESGCM weak key search. Our attacks can be used not only to bypass message authentication with garbage but also to target specific plaintext bits if a polynomial MAC is used in conjunction with a stream cipher. These attacks can also be applied with varying efficiency to other polynomial hashes and MACs, depending on their field properties. Our findings show that especially the use of short polynomialevaluation MACs should be avoided if the underlying field has a smooth multiplicative order.
SGCM: The Sophie Germain Counter Mode
"... Abstract. Sophie Germain Counter Mode (SGCM) is an authenticated encryption mode of operation, to be used with 128bit block ciphers such as AES. SGCM is a variant of the NIST standardized Galois / Counter Mode (GCM) which has been found to be susceptible to weak key / short cycle forgery attacks. T ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Sophie Germain Counter Mode (SGCM) is an authenticated encryption mode of operation, to be used with 128bit block ciphers such as AES. SGCM is a variant of the NIST standardized Galois / Counter Mode (GCM) which has been found to be susceptible to weak key / short cycle forgery attacks. The GCM attacks are made possible by its extremely smoothorder multiplicative group which splits into 512 subgroups. Instead of GCM’s GF (2 128), we use GF (p) with p = 2 128 +12451, where p−1 2 is also a prime. SGCM is intended for those who want a concrete, largely technically compatible alternative to GCM. In this memo we give a technical specification of SGCM, together with some elements of its implementation, security and performance analysis. Test vectors are also included.
Simple AEAD Hardware Interface (SÆHI) in a SoC: Implementing an OnChip Keyak/WhirlBob Coprocessor
"... Simple AEAD Hardware Interface (SÆHI) is a hardware cryptographic interface aimed at CAESAR Authenticated Encryption with Associated Data (AEAD) algorithms. Cryptographic acceleration is typically achieved either with a coprocessor or via instruction set extensions. ISA modifications require reen ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Simple AEAD Hardware Interface (SÆHI) is a hardware cryptographic interface aimed at CAESAR Authenticated Encryption with Associated Data (AEAD) algorithms. Cryptographic acceleration is typically achieved either with a coprocessor or via instruction set extensions. ISA modifications require reengineering the CPU core, making the approach inapplicable outside the realm of open source processor cores. Our proposed hardware interface is a memorymapped cryptographic coprocessor, implementable even on very low end FPGA evaluation platforms. Algorithms complying to SÆHI must also include C language API drivers that directly utilize the memory mapping in a “bare metal” fashion. This can also be accommodated on MMU systems. Extended battery life and bandwidth resulting from dedicated cryptographic hardware is vital for currently dominant computing and communication devices: mobile phones, tablets, and InternetofThings (IoT) applications. We argue that these should be priority hardware optimization targets for AEAD algorithms with realistic payload profiles. We demonstrate a fully integrated implementation of WhirlBob and Keyak AEADs on the FPGA fabric of Xilinx Zynq 7010. This lowcost SystemonChip (SoC) also houses a dualcore CortexA9 CPU, closely matching the architecture of many embedded devices. The onchip coprocessor is accessible from user space with a Linux kernel driver. An integration path exists all the way to enduser applications.
GCM, GHASH and Weak Keys
"... Abstract. The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide singlepass authenticated encryption. The GHASH authentication component of GCM belongs to a class of WegmanCarter polynomial universal hashes that operate in the field GF (2128). GCM uses the same block ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide singlepass authenticated encryption. The GHASH authentication component of GCM belongs to a class of WegmanCarter polynomial universal hashes that operate in the field GF (2128). GCM uses the same block cipher key K to both encrypt data and to derive the generator H of the authentication polynomial. In present literature, only the trivial weak key H = 0 has been considered. In this note we show that GHASH has much wider classes of weak keys, analyze some of their properties, and give experimental results when GCM is used with the AES algorithm.
An Authenticated Encryption with Associated Data algo
"... Simple AEAD Hardware Interface (SÆHI) is a hardware cryptographic interface aimed at CAESAR Authenticated Encryption with Associated Data (AEAD) algorithms. Cryptographic acceleration is typically achieved either with a coprocessor or via instruction set extensions. ISA modifications require ree ..."
Abstract
 Add to MetaCart
(Show Context)
Simple AEAD Hardware Interface (SÆHI) is a hardware cryptographic interface aimed at CAESAR Authenticated Encryption with Associated Data (AEAD) algorithms. Cryptographic acceleration is typically achieved either with a coprocessor or via instruction set extensions. ISA modifications require reengineering the CPU core, making the approach inapplicable outside the realm of open source processor cores. At minimum, we suggest implementing CAESAR AEADs as universal memorymapped cryptographic coprocessors, synthesizable even on low end FPGA platforms. AEADs complying to SÆHI must also include C language API drivers targeting lowend MCUs that directly utilize the memory mapping in a “bare metal ” fashion. This can also be accommodated on MMUequipped midrange CPUs. Extended battery life and bandwidth resulting from dedicated cryptographic hardware is vital for currently dominant computing and communication devices: mobile phones, tablets, and InternetofThings (IoT) applications. We argue that these should be priority hardware optimization targets for AEAD algorithms with realistic payload profiles. We demonstrate a fully integrated implementation of WhirlBob and Keyak AEADs on the FPGA fabric of Xilinx Zynq 7010. This lowcost SystemonChip (SoC) also houses a dualcore CortexA9 CPU, closely matching the architecture of many embedded devices. The onchip coprocessor is accessible from user space with a Linux kernel driver. An integration path exists all the way to enduser applications.