Combining message encryption and authentication

The first part of the paper explains the need for combining message encryption and authentication. We begin with the example to emphasize the fact that privacy‡ does not imply authenticity. Then we prove, one needs both privacy and authenticity, even if one's aim is just getting privacy. In the second part we present an overview of different methods for providing authenticated encryption (AE) i.e. generic compositions, single-pass modes and two-pass combined modes. We analyze what are the advantages and disadvantages of different AE constructions. In the third part of the paper we focus on nonce§ based authenticated encryption modes. Our motivation is the wish to know the methodology of designing authenticated encryption mode of operation. We take into consideration a few most important properties, e.g. parallelizability, memory requirements and pre-processing capability. We analyze possibilities of choice of underlying encryption and authentication components and their order in a message we also try to answer. What does single-key mode really mean? Finally we mention the importance of provable security theory in the security of authenticated encryption modes

A Mode of Operation with Partial Encryption and Message Integrity

At the recent AES Modes of Operation Conference, several modes of operation were proposed for using a block cipher to provide both confidentiality and authentication. These modes require only a little more work than the cost of encryption alone, and come with proofs of security. However, these modes require the entire message to be sent in encrypted form. This can cause problems in situations where some of the message neeeds to be sent in plaintext while still being authenticated. This paper describes a simple variation that allows any choice of message blocks to be sent in plaintext form rather than in encrypted form. This mode, Partial Encryption with Message Integrity (PEMI), is shown to be secure for message integrity and message secrecy

Power of a Public Random Permutation and its Application to Authenticated-Encryption

In this paper, we first show that many independent pseudorandom permutations over $\{0,1\}^n$ can be obtained from a single public random permutation and secret $n$ bits. We next prove that a slightly modified IAPM is secure even if the underlying block cipher $F$ is publicly accessible (as a blackbox). We derive a similar result for OCB mode, too. We finally prove that our security bound is tight within a constant factor

1. Kryptotag - Workshop über Kryptographie

Der Report enthält eine Sammlung aller Beiträge der Teilnehmer des 1. Kryptotages am 1. Dezember 2004 in Mannheim

Encryption Modes with Almost Free Message Integrity

We define a new mode of operation for block ciphers which in addition to providing confidentiality also ensures message integrity. In contrast, previously for message integrity a separate pass was required to compute a cryptographic message authentication code (MAC). The new mode of operation, called Integrity Aware Parallelizable Mode (IAPM), requires a total of m+1 block cipher evaluations on a plain-text of length m blocks. For comparison, the well known CBC (cipher block chaining) encryption mode requires m block cipher evaluations, and the second pass of computing the CBC-MAC essentially requires additional m+1 block cipher evaluations. As the name suggests, the new mode is also highly parallelizable

Cryptographic Applications of the Duplex Construction

Assured security is the desirable feature of modern cryptography. Most of moderncryptography primitives have no provably secure constructions. Their safety is defined on the basis ofwell-known in the given time cryptanalytic attacks. The duplex construction equipped with one idealpermutation and appropriate security parameters is suitable for building provably secure cryptographicprimitives. The constructions can be used for unclassified information of different sensitivity levelsprotection. Some of them can secure classified information up to the TOP SECRET level. Theapplications based on the duplex construction can be used for key wrapping, authenticated encryptionand can work as a pseudo-random bit sequence generator. They are not covered by any knownintellectual property

Design and Cryptanalysis of a Customizable Authenticated Encryption Algorithm

It is common knowledge that encryption is a useful tool for providing confidentiality. Authentication, however, is often overlooked. Authentication provides data integrity; it helps ensure that any tampering with or corruption of data is detected. It also provides assurance of message origin. Authenticated encryption (AE) algorithms provide both confidentiality and integrity / authenticity by processing plaintext and producing both ciphertext and a Message Authentication Code (MAC). It has been shown too many times throughout history that encryption without authentication is generally insecure. This has recently culminated in a push for new authenticated encryption algorithms. There are several authenticated encryption algorithms in existence already. However, these algorithms are often difficult to use correctly in practice. This is a significant problem because misusing AE constructions can result in reduced security in many cases. Furthermore, many existing algorithms have numerous undesirable features. For example, these algorithms often require two passes of the underlying cryptographic primitive to yield the ciphertext and MAC. This results in a longer runtime. It is clear that new easy-to-use, single-pass, and highly secure AE constructions are needed. Additionally, a new AE algorithm is needed that meets stringent requirements for use in the military and government sectors. This thesis explores the design and cryptanalysis of a novel, easily customizable AE algorithm based on the duplex construction. Emphasis is placed on designing a secure pseudorandom permutation (PRP) for use within the construction. A survey of state of the art cryptanalysis methods is performed and the resistance of our algorithm against such methods is considered. The end result is an algorithm that is believed to be highly secure and that should remain secure if customizations are made within the provided guidelines

The INT-RUP Security of OCB with Intermediate (Parity) Checksum

OCB is neither integrity under releasing unvieried plaintext (INT-RUP) nor nonce-misuse resistant. The tag of OCB is generated by encrypting plaintext checksum, which is vulnerable in the INT-RUP security model. This paper focuses on the weakness of the checksum processing in OCB. We describe a new notion, called plaintext or ciphertext checksum (PCC), which is a generalization of plaintext checksum, and prove that all authenticated encryption schemes with PCC are insecure in the INT-RUP security model. Then we x the weakness of PCC, and describe a new approach called intermediate (parity) checksum (I(P)C for short). Based on the I(P)C approach, we provide two modied schemes OCB-IC and OCB-IPC to settle the INT-RUP of OCB in the nonce-misuse setting. OCB-IC and OCB-IPC are proven INT-RUP up to the birthday bound in the nonce-misuse setting if the underlying tweakable blockcipher is a secure mixed tweakable pseudorandom permutation (MTPRP). The security bound of OCB-IPC is tighter than OCB-IC. To improve their speed, we utilize a \prove-then-prune approach: prove security and instantiate with a scaled-down primitive (e.g., reducing rounds for the underlying primitive invocations)

Efficient Lattice-based Authenticated Encryption: A Practice-Oriented Provable Security Approach

Lattice-based cryptography has been received significant attention in the past decade. It has attractive properties such as being a major post-quantum cryptography candidate, enjoying worst-case to average-case security reductions, and being supported by efficient implementations.In recent years, lattice-based schemes have achieved enough maturity to become interesting also for the industry. Additionally, authenticated encryption (AE) is another important topic in the community of cryptography. In this paper, considering two above-mentioned subjects, we propose three lattice-based AEs with an acceptable practical efficiency. These schemes are provably secure assuming the hardness of elementary lattice problems. That is in contrast to the other practical provably-secure AEs, which are based on the hardness assumption of another cryptographic primitive, such as AES. Moreover, we analyze the exact security of these schemes in the paradigm of practice-oriented provable security, while the security proofs of almost all previous lattice-based schemes are asymptotic. The implementation results show that one of the proposed schemes becomes even faster than an AES-256-GCM implementation to encrypt messages of length 64 bytes or longer. Particularly, for a 1500-byte message, this scheme is 34% faster than AES-256-GCM