Моделювання режиму вибіркового гамування із прискореним виробленням імітовставки

This article discusses the selective Galois counter mode with rapid generation of Galois message authentication code (Galois/Counter Mode and GMAC - GCM & GMAC). Specification of this coding mode is presented in NIST SP 800-38D. This coding mode is designed for realization of rapid cryptotransformation in providing information security services using different cryptographic primitives, such as polynomial hashing, counter and other. Using of proposed coding mode ensures the integrity and confidentiality of information. The article developed a reduced model of the mode. Reduced model preserves the algebraic structure of all main cryptotransformations by their scaling. Developed reduced model will use for experimental studies of collision properties of generated message authentication codes using the methods of statistical testing of hypotheses and mathematical statistics. This article discusses practical examples of cryptoprimitives and cryptotransformations.Рассматривается режим выборочного гаммирования с ускоренной выработкой имитовставки (Galois/Counter Mode and GMAC), спецификация которого представлена в NIST SP 800-38D. Разрабатывается уменьшенная модель режима, которая сохраняет алгебраическую структуру всех основных криптопреобразований и позволяет за счёт их масштабирования провести экспериментальные исследования коллизионных свойств сформированных имитовставок с последующим прогнозированием уровня криптографической стойкости полной версии шифра.Розглядається режим вибіркового гамування із прискореним виробленням імітовставки (Galois/Counter Mode and GMAC), специфікацію якого наведено у стандарті NIST SP 800-38D. Розробляється зменшена модель режиму, яка зберігає алгебраїчну структуру всіх основних криптоперетворень та дозволяє за рахунок їхнього масштабування провести експериментальні дослідження колізійних властивостей формованих імітовставок з подальшим прогнозуванням рівня криптографічного стійкості повної версії шифру

Моделювання режиму вибіркового гамування із прискореним виробленням імітовставки

This article discusses the selective Galois counter mode with rapid generation of Galois message authentication code (Galois/Counter Mode and GMAC - GCM & GMAC). Specification of this coding mode is presented in NIST SP 800-38D. This coding mode is designed for realization of rapid cryptotransformation in providing information security services using different cryptographic primitives, such as polynomial hashing, counter and other. Using of proposed coding mode ensures the integrity and confidentiality of information. The article developed a reduced model of the mode. Reduced model preserves the algebraic structure of all main cryptotransformations by their scaling. Developed reduced model will use for experimental studies of collision properties of generated message authentication codes using the methods of statistical testing of hypotheses and mathematical statistics. This article discusses practical examples of cryptoprimitives and cryptotransformations.Рассматривается режим выборочного гаммирования с ускоренной выработкой имитовставки (Galois/Counter Mode and GMAC), спецификация которого представлена в NIST SP 800-38D. Разрабатывается уменьшенная модель режима, которая сохраняет алгебраическую структуру всех основных криптопреобразований и позволяет за счёт их масштабирования провести экспериментальные исследования коллизионных свойств сформированных имитовставок с последующим прогнозированием уровня криптографической стойкости полной версии шифра.Розглядається режим вибіркового гамування із прискореним виробленням імітовставки (Galois/Counter Mode and GMAC), специфікацію якого наведено у стандарті NIST SP 800-38D. Розробляється зменшена модель режиму, яка зберігає алгебраїчну структуру всіх основних криптоперетворень та дозволяє за рахунок їхнього масштабування провести експериментальні дослідження колізійних властивостей формованих імітовставок з подальшим прогнозуванням рівня криптографічного стійкості повної версії шифру

Revisiting MAC Forgeries, Weak Keys and Provable Security of Galois/Counter Mode of Operation

Abstract. Galois/Counter Mode (GCM) is a block cipher mode of operation widely adopted in many practical applications and standards, such as IEEE 802.1AE and IPsec. We demonstrate that to construct successful forgeries of GCM-like polynomial-based MAC schemes, hash collisions are not necessarily required and any polynomials could be used in the attacks, which removes the restrictions of attacks previously proposed by Procter and Cid. Based on these new discoveries on forgery attacks, we show that all subsets with no less than two authentication keys are weak key classes, if the final block cipher masking is computed additively. In addition, by utilizing a special structure of GCM, we turn these forgery attacks into birthday attacks, which will significantly increase their success probabilities. Furthermore, we provide a method to fix GCM in order to avoid the security proof flaw discovered by Iwata, Ohashi and Minematsu. By applying the method, the security bounds of GCM can be improved by a factor of around 2 20 . Lastly, we show that these forgery attacks will still succeed if GCM adopts MAC-then-Enc paradigm to protect its MAC scheme as one of the options mentioned in previous papers

Regular and almost universal hashing: an efficient implementation

Random hashing can provide guarantees regarding the performance of data structures such as hash tables---even in an adversarial setting. Many existing families of hash functions are universal: given two data objects, the probability that they have the same hash value is low given that we pick hash functions at random. However, universality fails to ensure that all hash functions are well behaved. We further require regularity: when picking data objects at random they should have a low probability of having the same hash value, for any fixed hash function. We present the efficient implementation of a family of non-cryptographic hash functions (PM+) offering good running times, good memory usage as well as distinguishing theoretical guarantees: almost universality and component-wise regularity. On a variety of platforms, our implementations are comparable to the state of the art in performance. On recent Intel processors, PM+ achieves a speed of 4.7 bytes per cycle for 32-bit outputs and 3.3 bytes per cycle for 64-bit outputs. We review vectorization through SIMD instructions (e.g., AVX2) and optimizations for superscalar execution.Comment: accepted for publication in Software: Practice and Experience in September 201

GCM Security Bounds Reconsidered

A constant of $2^{22}$ appears in the security bounds of the Galois/Counter Mode of Operation, GCM. In this paper, we first develop an algorithm to generate nonces that have a high counter-collision probability. We show concrete examples of nonces with the counter-collision probability of about $2^{20.75}/2^{128}$. This shows that the constant in the security bounds, $2^{22}$, cannot be made smaller than $2^{19.74}$ if the proof relies on ``the sum bound.\u27\u27 We next show that it is possible to avoid using the sum bound, leading to improved security bounds of GCM. One of our improvements shows that the constant of $2^{22}$ can be reduced to 32

Порівняльний аналіз сучасних режимів автентифікованого шифрування

Кваліфікаційна робота містить: 66 стор., 17 рисунки, 0 таблиць, 18 джерел. Метою даної роботи є дослідження питань повязанних зі схемами автентифікованого шифрування на основі суматорів. Алгоритми автентифікованого шифрування, які надають нам можливість безпечно взаємодіяти в комп’ютерних системах через конфіденційність і попередження підробок повідомлень, тобто через забезпечення цілісності нашої інформації. Об’єктом дослідження є інформаційні процеси в системах криптографічного захисту. Предметом - властивості комбінованих режимів автентифікованого шифрування на основі суматорів.The purpose of this work is to study issues related to the schemes of authenticated encryption based on adders. Authenticated encryption algorithms that enable us to interact securely in computer systems through confidentiality and the prevention of message forgery through ensuring the integrity of our information. The object of research is information processes in cryptographic protection systems. The subject - the properties of the combined modes of authenticated encryption based on combiners

Security of Multilinear Galois Mode (MGM)

In this paper we analyze the new AEAD mode called the Multilinear Galois Mode (MGM) originally proposed in CTCrypt 2017. This mode is currently considered in the Russian Standardization system as the main contender to be adopted as a standard AEAD mode. The analysis of the MGM mode was carried out in the paradigm of provable security, in other words, lower security bounds were obtained for the Privacy and Authenticity notions. These bounds show that the privacy and authenticity of this mode is provably guaranteed (under security of the used block cipher) up to the birthday paradox bound

Misuse-Resistant Variants of the OMD Authenticated Encryption Mode

We present two variants of OMD which are robust against nonce misuse. Security of OMD---a CAESAR candidate---relies on the assumption that implementations always ensure correct use of nonce (a.k.a. message number); namely that, the nonce never gets repeated. However, in some application environments, this non-repetitiveness requirement on nonce might be compromised or ignored, yielding to full collapse of the security guaranty. We aim to reach maximal possible level of robustness against repeated nonces, as defined by Rogaway and Shrimpton (FSE 2006) under the name misuse-resistant AE (MRAE). Our first scheme, called misuse-resistant OMD (MR-OMD), is designed to be substantially similar to OMD while achieving stronger security goals; hence, being able to reuse any existing common code/hardware. Our second scheme, called parallelizable misuse-resistant OMD (PMR-OMD), further deviates from the original OMD design in its encryption process, providing a parallelizable algorithm, in contrast with OMD and MR-OMD which have serial encryption/decryption processes. Both MR-OMD and PMR-OMD are single-key mode of operation. It is known that maximally robust MRAE schemes are necessarily two-pass, a price paid compared to a one-pass scheme such as OMD. Nevertheless, in MR-OMD and PMR-OMD, we combine the two passes in a way that minimizes the incurred additional cost: the overhead incurred by the second pass in our two-pass variants is about 50 % of the encryption time for OMD

General Classification of the Authenticated Encryption Schemes for the CAESAR Competition

An Authenticated encryption scheme is a scheme which provides privacy and integrity by using a secret key. In 2013, CAESAR (the ``Competition for Authenticated Encryption: Security, Applicability, and Robustness\u27\u27) was co-founded by NIST and Dan Bernstein with the aim of finding authenticated encryption schemes that offer advantages over AES-GCM and are suitable for widespread adoption. The first round started with 57 candidates in March 2014; and nine of these first-round candidates where broken and withdrawn from the competition. The remaining 48 candidates went through an intense process of review, analysis and comparison. While the cryptographic community benefits greatly from the manifold different submission designs, their sheer number implies a challenging amount of study. This paper provides an easy-to-grasp overview over functional aspects, security parameters, and robustness offerings by the CAESAR candidates, clustered by their underlying designs (block-cipher-, stream-cipher-, permutation-/sponge-, compression-function-based, dedicated). After intensive review and analysis of all 48 candidates by the community, the CAESAR committee selected only 30 candidates for the second round. The announcement for the third round candidates was made on 15th August 2016 and 15 candidates were chosen for the third round