40 research outputs found
The Security of the Extended Codebook (XCB) Mode of Operation
The XCB mode of operation was outlined in 2004 as a contribution to the IEEE Security in Storage effort, but no security analysis was provided. In this paper, we provide a proof of security for XCB, and show that it is a secure tweakable (super) pseudorandom permutation. Our analysis makes several new contributions: it uses an algebraic property of XCB\u27s internal universal hash function to simplify the proof, and it defines a nonce mode in which XCB can be securely used even when the plaintext is shorter than twice the width of the underlying block cipher. We also show minor modifications that improve the performance of XCB and make it easier to analyze. XCB is interesting because it is highly efficient in both hardware and software, it has no alignment restrictions on input lengths, it can be used in nonce mode, and it uses the internal functions of the Galois/Counter Mode (GCM) of operation, which facilitates design re-use and admits multi-purpose implementations
The Extended Codebook (XCB) Mode of Operation
We describe a block cipher mode of operation that implements a `tweakable\u27 (super) pseudorandom permutation with an arbitrary block length. This mode can be used to provide the best possible security in systems that cannot allow data expansion, such as disk-block encryption and some network protocols. The mode accepts an additional input, which can be used to protect against attacks that manipulate the ciphertext by rearranging the ciphertext blocks.
Our mode is similar to a five-round Luby-Rackoff cipher in which the first and last rounds do not use the conventional Feistel structure, but instead use a single block cipher invocation. The third round is a Feistel structure using counter mode as a PRF. The second and fourth rounds are Feistel structures using a universal hash function; we re-use the polynomial hash over a binary field defined in the Galois/Counter Mode (GCM) of operation for block ciphers. This choice provides efficiency in both hardware and software and allows for re-use of implementation effort. XCB also has several useful properties: it accepts arbitrarily-sized plaintexts and associated data, including any plaintexts with lengths that are no smaller than the width of the block cipher.
This document is a pre-publication draft manuscript
Another Look at XCB
XCB is a tweakable enciphering scheme (TES) which was first proposed in 2004. The scheme was modified in 2007. We call these
two versions of XCB as XCBv1 and XCBv2 respectively. XCBv2 was later proposed as a standard for encryption of sector oriented
storage media in IEEE-std 1619.2 2010. There is no known proof of security for XCBv1 but the authors provided a concrete security bound for XCBv2 and
a ``proof\u27\u27 for justifying the bound. In this paper we show that XCBv2 is not secure as a TES by showing an easy distinguishing attack on it.
For XCBv2 to be secure, the message space should contain only messages whose lengths are multiples of the block length of the block cipher.
For such restricted message spaces also, the bound that the authors claim is not justified. We show this by pointing out some errors in the proof.
For XCBv2 on full block messages, we provide a new security analysis. The resulting bound that can be proved
is much worse than what has been claimed by the authors.
Further, we provide the first concrete security bound for XCBv1, which holds for all message lengths. In terms of known security bounds,
both XCBv1 and XCBv2 are worse compared to existing alternative TES
Survey and Benchmark of Block Ciphers for Wireless Sensor Networks
Cryptographic algorithms play an important role in the security architecture of wireless sensor networks (WSNs). Choosing the most storage- and energy-efficient block cipher is essential, due to the facts that these networks are meant to operate without human intervention for a long period of time with little energy supply, and that available storage is scarce on these sensor nodes. However, to our knowledge, no systematic work has been done in this area so far.We construct an evaluation framework in which we first identify the candidates of block ciphers suitable for WSNs, based on existing literature and authoritative recommendations. For evaluating and assessing these candidates, we not only consider the security properties but also the storage- and energy-efficiency of the candidates. Finally, based on the evaluation results, we select the most suitable ciphers for WSNs, namely Skipjack, MISTY1, and Rijndael, depending on the combination of available memory and required security (energy efficiency being implicit). In terms of operation mode, we recommend Output Feedback Mode for pairwise links but Cipher Block Chaining for group communications
FAST: Disk Encryption and Beyond
This work introduces \sym{FAST} which is a new family of tweakable enciphering schemes. Several instantiations of \sym{FAST} are
described. These are targeted towards two goals, the specific task of disk encryption and a more general scheme suitable for
a wide variety of practical applications. A major contribution of this work is to present detailed and careful software implementations of
all of these instantiations. For disk encryption, the results from the implementations show
that \sym{FAST} compares very favourably to the IEEE disk encryption standards XCB and EME2 as well as the more recent proposal
AEZ.
\sym{FAST} is built using a fixed input length pseudo-random function
and an appropriate hash function. It uses a single-block key, is parallelisable and can be instantiated using only the encryption
function of a block cipher.
The hash function can be instantiated using either the Horner\u27s rule based usual polynomial hashing or hashing based on the more efficient
Bernstein-Rabin-Winograd polynomials. Security of \sym{FAST} has been rigorously analysed using the standard provable security
approach and concrete security bounds have been derived.
Based on our implementation results, we put forward \sym{FAST} as a serious candidate for standardisation and deployment
Disk Encryption: Do We Need to Preserve Length?
In the last one-and-a-half decade there has been a lot of activity towards development of cryptographic techniques for disk
encryption. It has been almost canonised that an encryption scheme suitable for the application of disk encryption must be
length preserving, i.e., it rules out the use of schemes like authenticated encryption where an authentication tag is also
produced as a part of the ciphertext resulting in ciphertexts being longer than the corresponding plaintexts. The notion of
a tweakable enciphering scheme (TES) has been formalised as the appropriate primitive for disk encryption and it has been argued
that they provide the maximum security possible for a tag-less scheme. On the other hand, TESs are less efficient than some
existing authenticated encryption schemes. Also TES cannot provide true authentication as they do not have authentication tags.
In this paper, we analyze the possibility of the use of encryption schemes where length expansion is produced for
the purpose of disk encryption. On the negative side, we argue that nonce based authenticated encryption schemes are not appropriate
for this application. On the positive side, we demonstrate that deterministic authenticated encryption (DAE) schemes may
have more advantages than disadvantages compared to a TES when used for disk encryption. Finally, we propose a new deterministic
authenticated encryption scheme called BCTR which is suitable for this purpose. We provide the full specification of BCTR, prove
its security and also report an efficient implementation in reconfigurable hardware. Our experiments suggests that BCTR performs
significantly better than existing TESs and existing DAE schemes
Benchmarking Block Ciphers for Wireless Sensor Networks
Choosing the most storage- and energy-efficient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. We have identified the candidates of block ciphers suitable for WSNs based on existing literature. For evaluating and assessing these candidates, we have devised a systematic framework that not only considers the security properties but also the storage- and energy-efficency of the candidates. Finally, based on the evaluation results, we have selected the suitable ciphers for WSNs, namely Rijndael for high security and energy efficiency requirements; and MISTY1 for good storage and energy efficiency
Efficient Tweakable Enciphering Schemes from (Block-Wise) Universal Hash Functions
This paper describes several constructions of tweakable strong pseudorandom
permutations (SPRPs) built from different modes of operations of a block cipher
and suitable universal hash functions. For the electronic codebook (ECB) based
construction, an invertible blockwise universal hash function is required.
We simplify an earlier construction of such a function described by Naor and
Reingold. The other modes of operations considered are the counter mode
and the output feedback (OFB) mode. All the constructions make the same
number of block cipher calls and the same number of multiplications. Combined
with a class of polynomials defined by Bernstein, the new constructions provide
the currently best known algorithms for the important practical problem of
disk encryption
Statistical Testing for Disk Encryption Modes of Operations
In this paper we present a group of statistical tests that
explore the random behavior of encryption modes of operations, when
used in disk encryption applications. The results of these tests help us
to better understand how these modes work. We tested ten modes of
operations with the presented statistical tests, five of the narrow-block
type and the other five of the wide-block type. Our analysis shows some
weakness in some of these modes