144 research outputs found
Pseudo-Random Functions and Parallelizable Modes of Operations of a Block Cipher
This paper considers the construction and analysis of pseudo-random functions (PRFs) with
specific reference to modes of operations of a block cipher. In the context of message
authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how
to reduce the analysis of relevant PRFs to some probability calculations. In the first part of
the paper, we revisit this result and use it to prove a general result on constructions
which use a PRF with a ``small\u27\u27 domain to build a PRF with a ``large\u27\u27 domain. This result
is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The
first scheme, called {\iPMAC}, is based on a block cipher and improves upon the well-known PMAC
algorithm. The improvements consist in faster masking operations and the removal of a design
stage discrete logarithm computation. The second scheme, called {\VPMAC}, uses a keyed
compression function rather than a block cipher. The only previously known compression function
based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein.
{\VPMAC} improves upon PCS by requiring lesser number of calls to the compression function.
The second part of the paper takes a new look at the construction and analysis of modes
of operations for authenticated encryption (AE) and for authenticated encryption with associated
data (AEAD). Usually, the most complicated part in the security analysis of such modes is
the analysis of authentication security. Previous work by Liskov, Rivest and Wagner and
later Rogaway had suggested that this analysis is simplified by using a primitive called a
tweakable block cipher
(TBC). In contrast, we take a direct approach. We prove a general result which shows that the
authentication security of an AE scheme can be proved from the privacy of the scheme and
by showing a certain associated function to be a PRF. Two new AE schemes \sym{PAE} and
\sym{PAE}-1 are described and analysed using this approach. In particular, it is shown that
the authentication security of \sym{PAE} follows easily from the security of {\iPMAC}. As a
result, no separate extensive analysis of the authentication security of \sym{PAE} is required.
An AEAD scheme can be obtained by combining an AE scheme and an authentication scheme and
it has been suggested earlier that a TBC based approach simplifies the analysis. Again, in
contrast to the TBC based approach, we take a direct approach based on a simple masking strategy.
Our idea uses double encryption of a fixed string and achieves the same effect of mask separation
as in the TBC based approach.
Using this idea, two new AEAD schemes \sym{PAEAD} and \sym{PAEAD}-1 are described.
An important application of AEAD schemes is in the encryption of IP packets. The new schemes
offer certain advantages over previously well known schemes such as the offset codebook (OCB) mode.
These improvements include providing a wider variety of easily reconfigurable family of
schemes, a small speed-up, a smaller size decryption algorithm for hardware implementation and
uniform processing of only full-block messages
Farasha: A Provable Permutation-based Parallelizable PRF
The pseudorandom function Farfalle, proposed by Bertoni et al. at ToSC 2017, is a permutation based arbitrary length input and output PRF. At its core are the public permutations and feedback shift register based rolling functions. Being an elegant and parallelizable design, it is surprising that the security of Farfalle has been only investigated against generic cryptanalysis techniques such as differential/linear and algebraic attacks and nothing concrete about its provable security is known.
To fill this gap, in this work, we propose Farasha, a new permutation-based parallelizable PRF with provable security. Farasha can be seen as a simple and provable Farfalle-like construction where the rolling functions in the compression and expansion phases of Farfalle are replaced by a uniform almost xor universal (AXU) and a simple counter, respectively. We then prove that in the random permutation model, the compression phase of Farasha can be shown to be an
uniform AXU function and the expansion phase can be mapped to an Even-Mansour block cipher. Consequently, combining these two properties, we show that Farasha achieves a security of min(keysize, permutation size/2). Finally, we provide concrete instantiations of Farasha with AXU functions providing different performance trade-offs. We believe our work will bring new insights in further understanding the provable security of Farfalle-like constructions
Encryption Modes with Almost Free Message Integrity
We define a new mode of operation for block ciphers which in addition to providing confidentiality also ensures message integrity. In contrast, previously for message integrity a separate pass was required to compute a cryptographic message authentication code (MAC). The new mode of operation, called Integrity Aware Parallelizable Mode (IAPM),
requires a total of m+1 block cipher evaluations on a plain-text of length m blocks. For comparison, the well known CBC (cipher block chaining) encryption mode requires m block cipher evaluations, and the second pass of computing the CBC-MAC essentially requires additional m+1 block cipher evaluations. As the name suggests, the new mode is also highly parallelizable
A parallel block-based encryption schema for digital images using reversible cellular automata
AbstractWe propose a novel images encryption schema based on reversible one-dimensional cellular automata. Contrasting to the sequential operating mode of several existing approaches, the proposed one is fully parallelizable since the encryption/decryption tasks can be executed using multiple processes running independently for the same single image. The parallelization is made possible by defining a new RCA-based construction of an extended pseudorandom permutation that takes a nonce as a supplementary parameter. The defined PRP exploit the chaotic behavior and the high initial condition's sensitivity of the RCAs to ensure perfect cryptographic security properties. Results of various experiments and analysis show that high security and execution performances can be achieved using the approach, and furthermore, it provides the ability to perform a selective area decryption since any part of the ciphered-image can be deciphered independently from others, which is very useful for real time applications
Full Disk Encryption: Bridging Theory and Practice
International audienceWe revisit the problem of Full Disk Encryption (FDE), which refers to the encryption of each sector of a disk volume. In the context of FDE, it is assumed that there is no space to store additional data, such as an IV (Initialization Vector) or a MAC (Message Authentica-tion Code) value. We formally define the security notions in this model against chosen-plaintext and chosen-ciphertext attacks. Then, we classify various FDE modes of operation according to their security in this setting, in the presence of various restrictions on the queries of the adversary. We will find that our approach leads to new insights for both theory and practice. Moreover, we introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted to different ciphertexts. We show how a 2-bit diversifier can be implemented in the EagleTree simulator for solid state drives (SSDs), while decreasing the total number of Input/Output Operations Per Second (IOPS) by only 4%
Breaking Symmetric Cryptosystems Using Quantum Period Finding
Due to Shor's algorithm, quantum computers are a severe threat for public key
cryptography. This motivated the cryptographic community to search for
quantum-safe solutions. On the other hand, the impact of quantum computing on
secret key cryptography is much less understood. In this paper, we consider
attacks where an adversary can query an oracle implementing a cryptographic
primitive in a quantum superposition of different states. This model gives a
lot of power to the adversary, but recent results show that it is nonetheless
possible to build secure cryptosystems in it.
We study applications of a quantum procedure called Simon's algorithm (the
simplest quantum period finding algorithm) in order to attack symmetric
cryptosystems in this model. Following previous works in this direction, we
show that several classical attacks based on finding collisions can be
dramatically sped up using Simon's algorithm: finding a collision requires
queries in the classical setting, but when collisions happen
with some hidden periodicity, they can be found with only queries in the
quantum model.
We obtain attacks with very strong implications. First, we show that the most
widely used modes of operation for authentication and authenticated encryption
e.g. CBC-MAC, PMAC, GMAC, GCM, and OCB) are completely broken in this security
model. Our attacks are also applicable to many CAESAR candidates: CLOC, AEZ,
COPA, OTR, POET, OMD, and Minalpher. This is quite surprising compared to the
situation with encryption modes: Anand et al. show that standard modes are
secure with a quantum-secure PRF.
Second, we show that Simon's algorithm can also be applied to slide attacks,
leading to an exponential speed-up of a classical symmetric cryptanalysis
technique in the quantum model.Comment: 31 pages, 14 figure
Tweakable Blockciphers for Efficient Authenticated Encryptions with Beyond the Birthday-Bound Security
Modular design via a tweakable blockcipher (TBC) offers efficient authenticated encryption (AE) schemes (with associated data) that call a blockcipher once for each data block (of associated data or a plaintext). However, the existing efficient blockcipher-based TBCs are secure up to the birthday bound, where the underlying keyed blockcipher is a secure strong pseudorandom permutation. Existing blockcipher-based AE schemes with beyond-birthday-bound (BBB) security are not efficient, that is, a blockcipher is called twice or more for each data block. In this paper, we present a TBC, XKX, that offers efficient blockcipher-based AE schemes with BBB security, by combining with efficient TBC-based AE schemes such as ÎCB3 an
On Modes of Operations of a Block Cipher for Authentication and Authenticated Encryption
This work deals with the various requirements of encryption and authentication in cryptographic applications. The approach
is to construct suitable modes of operations of a block cipher to achieve the relevant goals. A variety
of schemes suitable for specific applications are presented. While none of the schemes are built completely from scratch,
there is a common unifying framework which connects them. All the schemes described have been implemented and the implementation
details are publicly available. Performance figures are presented when the block cipher is the AES and the Intel AES-NI
instructions are used. These figures suggest that the constructions presented here compare well with previous works
such as the famous OCB mode of operation. In terms of features, the constructions provide several new offerings which
are not present in earlier works. This work significantly widens the range of choices of an actual designer of
cryptographic system
- âŠ