19 research outputs found
EME*: extending EME to handle arbitrary-length messages with associated data
This work describes a mode of operation, EME*, that turns a regular block cipher into a length-preserving enciphering scheme for messages of (almost) arbitrary length. Specifically, the resulting scheme can handle any bit-length, not shorter than the block size of the underlying cipher, and it also handles associated data of arbitrary bit-length. Such a scheme can either be used directly in applications that need encryption but cannot afford length expansion, or serve as a convenient building block for higher-level modes.
The mode EME* is a refinement of the EME mode of Halevi and Rogaway, and it inherits the efficiency and parallelism from the original EME
A Generic Method to Extend Message Space of a Strong Pseudorandom Permutation
In this paper we present an efficient and secure generic method
which can encrypt messages of size at least . This generic
encryption algorithm needs a secure encryption algorithm for
messages of multiple of . The first generic construction, XLS,
has been proposed by Ristenpart and Rogaway in FSE-07. It needs
two extra invocations of an independently chosen strong
pseudorandom permutation or SPRP defined over \s^n for
encryption of an incomplete message block. Whereas our
construction needs only one invocation of a weak pseudorandom
function and two multiplications over a finite field
(equivalently, two invocations of an universal hash function). We
prove here that the proposed method preserves (tweakable) SPRP.
This new construction is meaningful for two reasons. Firstly, it
is based on weak pseudorandom function which is a weaker security
notion than SPRP. Thus we are able to achieve stronger security
from a weaker one. Secondly, in practice, finite field
multiplication is more efficient than an invocation of SPRP. Hence
our method can be more efficient than XLS
Tweakable Enciphering Schemes Using Only the Encryption Function of a Block Cipher
A new construction of block cipher based tweakable enciphering schemes (TES) is described. The
major improvement over existing TES is that the construction uses only the encryption function
of the underlying block cipher. Consequently, this leads to substantial savings in the size of
hardware implementation of TES applications such as disk encryption. This improvement is achieved
without loss in efficiency of encryption and decryption compared to the best previously known
schemes
Notions and relations for RKA-secure permutation and function families
The theory of designing block ciphers is mature, having seen signi¯cant
progress since the early 1990s for over two decades, especially during the AES devel-
opment e®ort. Nevertheless, interesting directions exist, in particular in the study of
the provable security of block ciphers along similar veins as public-key primitives, i.e.
the notion of pseudorandomness (PRP) and indistinguishability (IND). Furthermore,
recent cryptanalytic progress has shown that block ciphers well designed against known
cryptanalysis techniques including related-key attacks (RKA) may turn out to be less
secure against related-key attacks than expected. The notion of provable security of
block ciphers against related-key attacks was initiated by Bellare and Kohno, and sub-
sequently treated by Lucks. Concrete block cipher constructions were proposed therein
with provable security guarantees. In this paper, we are interested in the security no-
tions for RKA-secure block ciphers
Improving Upon the TET Mode of Operation
Naor and Reingold had proposed the construction of a strong pseudo-random
permutation (SPRP) by using a layer of ECB encryption between two layers of
invertible block-wise universal hash functions. At Crypto 2007, Halevi presented
constructions of invertible block-wise universal hash functions and a new mode
of operation (called TET) based on them. In this paper, we present a new mode
of operation
called {\heh} using the Naor-Reingold approach. This is built using a new
construction of invertible block-wise universal hash function. The new
construction improves over Halevi\u27s construction by removing restrictions on
the hashing key. This in turn, leads to {\heh} improving
over TET by allowing more efficient encryption and decryption of variable length
messages as well as supporting better key agility. For the important application
of disk encryption, we present a variant called {\hehfp} which has better
key agility than TET
Another Look at XCB
XCB is a tweakable enciphering scheme (TES) which was first proposed in 2004. The scheme was modified in 2007. We call these
two versions of XCB as XCBv1 and XCBv2 respectively. XCBv2 was later proposed as a standard for encryption of sector oriented
storage media in IEEE-std 1619.2 2010. There is no known proof of security for XCBv1 but the authors provided a concrete security bound for XCBv2 and
a ``proof\u27\u27 for justifying the bound. In this paper we show that XCBv2 is not secure as a TES by showing an easy distinguishing attack on it.
For XCBv2 to be secure, the message space should contain only messages whose lengths are multiples of the block length of the block cipher.
For such restricted message spaces also, the bound that the authors claim is not justified. We show this by pointing out some errors in the proof.
For XCBv2 on full block messages, we provide a new security analysis. The resulting bound that can be proved
is much worse than what has been claimed by the authors.
Further, we provide the first concrete security bound for XCBv1, which holds for all message lengths. In terms of known security bounds,
both XCBv1 and XCBv2 are worse compared to existing alternative TES
Adiantum: length-preserving encryption for entry-level processors
We present HBSH, a simple construction for tweakable length-preserving encryption which supports the fastest options for hashing and stream encryption for processors without AES or other crypto instructions, with a provable quadratic advantage bound. Our composition Adiantum uses NH, Poly1305, XChaCha12, and a single AES invocation. On an ARM Cortex-A7 processor, Adiantum decrypts 4096-byte messages at 10.6 cycles per byte, over five times faster than AES-256-XTS, with a constant-time implementation. We also define HPolyC which is simpler and has excellent key agility at 13.6 cycles per byte
LibFTE: A Toolkit for Constructing Practical, Format-Abiding Encryption Schemes
Abstract Encryption schemes where the ciphertext must abide by a specified format have diverse applications, ranging from in-place encryption in databases to per-message encryption of network traffic for censorship circumvention. Despite this, a unifying framework for deploying such encryption schemes has not been developed. One consequence of this is that current schemes are ad-hoc; another is a requirement for expert knowledge that can disuade one from using encryption at all. We present a general-purpose library (called libfte) that aids engineers in the development and deployment of format-preserving encryption (FPE) and formattransforming encryption (FTE) schemes. It incorporates a new algorithmic approach for performing FPE/FTE using the nondeterministic finite-state automata (NFA) representation of a regular expression when specifying formats. This approach was previously considered unworkable, and our approach closes this open problem. We evaluate libfte and show that, compared to other encryption solutions, it introduces negligible latency overhead, and can decrease diskspace usage by as much as 62.5% when used for simultaneous encryption and compression in a PostgreSQL database (both relative to conventional encryption mechanisms). In the censorship circumvention setting we show that, using regularexpression formats lifted from the Snort IDS, libfte can reduce client/server memory requirements by as much as 30%
General Classification of the Authenticated Encryption Schemes for the CAESAR Competition
An Authenticated encryption scheme is a scheme which provides privacy and integrity by using a secret key. In 2013, CAESAR (the ``Competition for Authenticated Encryption: Security, Applicability, and Robustness\u27\u27) was co-founded by NIST and Dan Bernstein with the aim of finding authenticated encryption schemes
that offer advantages over AES-GCM and are suitable for widespread adoption.
The first round started with 57 candidates in March 2014; and nine of these
first-round candidates where broken and withdrawn from the competition. The
remaining 48 candidates went through an intense process of review, analysis
and comparison. While the cryptographic community benefits greatly from the
manifold different submission designs, their sheer number
implies a challenging amount of study. This paper provides
an easy-to-grasp overview over functional aspects, security parameters, and
robustness offerings by the CAESAR candidates, clustered by their underlying
designs (block-cipher-, stream-cipher-, permutation-/sponge-,
compression-function-based, dedicated). After intensive review and analysis of all 48 candidates by the community, the CAESAR committee selected only 30 candidates for the second round. The announcement for the third round candidates was made on 15th August 2016 and 15 candidates were chosen for the third round