Showing papers on "Authenticated encryption published in 2003"

Counter with CBC-MAC (CCM)

Abstract: Counter with CBC-MAC (CCM) is a generic authenticated encryption block cipher mode. CCM is defined for use with 128-bit block ciphers, such as the Advanced Encryption Standard (AES).

OCB: A block-cipher mode of operation for efficient authenticated encryption

Abstract: We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M ∈ {0, 1}* using ⌈|M|/n⌉ + 2 block-cipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Charanjit Jutla. Desirable properties of OCB include the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length, cheap offset calculations, cheap key setup, a single underlying cryptographic key, no extended-precision addition, a nearly optimal number of block-cipher calls, and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate the mode's privacy or authenticity in terms of the quality of its block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively.

Password Interception in a SSL/TLS Channel

Abstract: Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS.

Password interception in a SSL/TLS channel

Abstract: Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS. At Eurocrypt'02, Vaudenay presented vulnerabilities in padding schemes used for block ciphers in CBC mode. He used a side channel, namely error information in the padding verification. This attack was not possible against SSL/TLS due to both unavailability of the side channel (errors are encrypted) and premature abortion of the session in case of errors. In this paper we extend the attack and optimize it. We show it is actually applicable against latest and most popular implementations of SSL/TLS (at the time this paper was written) for password interception. We demonstrate that a password for an IMAP account can be intercepted when the attacker is not too far from the server in less than an hour in a typical setting. We conclude that these versions of the SSL/TLS implementations are not secure when used with block ciphers in CBC mode and propose ways to strengthen them. We also propose to update the standard protocol.

CWC: A high-performance conventional authenticated encryption mode.

Abstract: We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is currently the only such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the only appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the only such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.

Attacking RSA-Based Sessions in SSL/TLS

Abstract: In this paper we present a practically feasible attack on RSA-based sessions in SSL/TLS protocols. We show that incorporating a version number check over PKCS#1 plaintext used in the SSL/TLS creates a side channel that allows an attacker to invert the RSA encryption. The attacker can then either recover the premaster-secret or sign a message on behalf of the server. Practical tests showed that two thirds of randomly chosen Internet SSL/TLS servers were vulnerable. The attack is an extension of Bleichenbacher’s attack on PKCS#1 (v. 1.5). We introduce the concept of a bad-version oracle (BVO) that covers the side channel leakage, and present several methods that speed up the original algorithm. Our attack was successfully tested in practice and the results of complexity measurements are presented in the paper.

EAX: A Conventional Authenticated-Encryption Mode.

Abstract: We propose a block-cipher mode of operation, EAX, for authenticated-encryption with associateddata (AEAD). Given a nonce N , a message M , and a header H, the mode protects the privacy of M and the authenticity of both M and H. Strings N, M, H E {0, 1} are arbitrary, and the mode uses 2→M/n∈ + →H/n∈ + →N/n∈ block-cipher calls when these strings are nonempty and n is the block length of the underlying block cipher. Among EAX’s characteristics are that it is on-line (the length of a message isn’t needed to begin processing it) and a fixed header can be pre-processed, effectively removing the per-message cost of binding it to the ciphertext. EAX is obtained by instantiating a simple genericcomposition method, EAX2, and then collapsing its two keys into one. EAX is provably secure under a standard complexity-theoretic assumption. EAX is an alternative to CCM [19], and is likewise patent-free.

An Efficient Convertible Authenticated Encryption Scheme and Its Variant

Abstract: The authenticated encryption scheme allows the specified receiver to simultaneously recover and verify a message. Recently, to protect the receiver’s benefit of a later dispute, Wu and Hsu proposed a convertible authenticated encryption scheme in which the receiver can convert the signature into an ordinary one that can be verified by anyone. However, Wu and Hsu’s scheme doesn’t consider that once the intruder knows the message then the intruder can also easily convert a signature into an ordinary digital signature. In this situation, the intruder may force the signer to be responsible for the terms of agreement of the documents and cause confusion. In this paper, we propose an efficient convertible authenticated encryption scheme which can provide better protection for both the signer and the specified receiver. On the other hand, we also propose an efficient and lower communication convertible authenticated encryption scheme with message linkages. It can be regarded as a variant of the convertible authenticated encryption scheme in that it is designed to link up the message blocks to avoid the message block being reordered, replicated, or partially deleted during the transmission.

Publicly verifiable authenticated encryption

Abstract: A new authenticated encryption scheme with public verifiability is presented. The new scheme requires less computational costs and communication overhead than the conventional signature-then-encryption approaches. Furthermore the message is not divulged during the public verification.

Concealment and its applications to authenticated encryption

Abstract: We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on inputm, outputs a hider h and a binder b. Together, h and b allow one to recoverm, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make |b| |m|, which we call a “non-trivial” concealment. We show that non-trivial concealments are equivalent to the existence of collision-resistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either publicor symmetric-key) designed to work on short messages. We show that concealments are exactly the right abstraction allowing one to use AE for encrypting long messages. Namely, to encrypt “long” m, one uses a concealment scheme to get h and b, and outputs authenticated ciphertext 〈AE(b), h〉. More surprisingly, the above paradigm leads to a very simple and general solution to the problem of remotely keyed (authenticated) encryption (RKAE) [12, 13]. In this problem, one wishes to split the task of high-bandwidth authenticated encryption between a secure, but low-bandwidth/computationally limited device, and an insecure, but computationally powerful host. We give formal definitions for RKAE, which we believe are simpler and more natural than all the previous definitions. We then show that our composition paradigm satisfies our (very strong) definition. Namely, for authenticated encryption, the host simply sends a short value b to the device (which stores the actual secret key for AE), gets back AE(b), and outputs 〈AE(b), h〉 (authenticated decryption is similar). Finally, we also observe that the particular schemes of [13, 18] are all special examples of our general paradigm.

Authenticated On-Line Encryption

Abstract: In this paper, we investigate the authenticated encryption paradigm, and its security against blockwise adaptive adversaries, mounting chosen ciphertext attacks on on-the-fly cryptographic devices. We remark that most of the existing solutions are insecure in this context, since they provide a decryption oracle for any ciphertext. We then propose a generic construction called Decrypt-Then-Mask, and prove its security in the blockwise adversarial model. The advantage of this proposal is to apply minimal changes to the encryption protocol. In fact, in our solution, only the decryption protocol is modified, while the encryption part is left unchanged. Finally, we propose an instantiation of this scheme, using the encrypted CBC-MAC algorithm, a secure pseudorandom number generator and the Delayed variant of the CBC encryption scheme.

The CWC Authenticated Encryption (Associated Data) Mode

Abstract: We introduce CWC, a new block cipher mode of operation designed to protect both the privacy and the authenticity of encapsulated data. Important properties of CWC include: 1. Performance. CWC is parallelizable and is efficient in both hardware and software. 2. Security. CWC is provably secure and its provable security depends only on the pseu­ dorandomness of the underlying block cipher. No other cryptographic primitives are used and no other assumptions are made. 3. Patent-free. To the best of our knowledge CWC is not covered by any patents. CWC is currently the only dedicated authenticated encryption with associated data (AEAD) scheme that simultaneously has these three properties (e.g., CCM and EAX are not parallelizable and OCB is not patent-free). Having all three of these properties makes CWC a strong candidate for use with future high-performance systems.

Convertible Authenticated Encryption Scheme Without Using Conventional One-Way Function

Abstract: An authenticated encryption allows the designated recipient to verify the authenticity while recovering the message. To protect the recipient's benefit in case of a later dispute, a convertible authenticated encryption scheme allows the recipient to convert the authenticated encryption into an ordinary signature so that it becomes a publicly verifiable. This paper shows a universal forgery attack on Araki et al.'s convertible authenticated encryption scheme, and proposes a new convertible authenticated encryption scheme. Without using any conventional one-way function, the proposed scheme simplifies its security assumption on only a public hard problem - the discrete logarithm problem.

Publicly verifiable authenticated encryption

Abstract: Ma and Chen have proposed an authenticated encryption scheme with public verifiability. The scheme claims that the TTP can publicly verify the sender's signature without running a zero knowledge proof protocol. The problem in verification which causes the TTP to reject a valid signature with non-negligible probability is pointed out.

Encryption/decryption device and method, encryption device and method, decryption device and method, and transmission/reception apparatus

Abstract: The encryption/decryption device includes: a data structure analysis block for receiving encrypted data or data to be encrypted and outputting control data and also the encrypted data or the data to be encrypted as processing block input data; a data control block for determining a mode selection signal according to the control data; and a shared processing block for performing encryption or decryption for the processing block input data and outputting the result. The shared processing block is configured to have the ability to perform encryption and decryption in either of the CBC mode and the CFB mode by performing ECB processing using input key data, and performs encryption or decryption in the mode indicated by the mode selection signal.

Cryptanalysis of publicly verifiable authenticated encryption.

Abstract: Ma and Chen proposed a new authenticated encryption scheme with public verifiability. This scheme requires less computational costs and communication overheads than the conventional signature-then-encryption approaches. In this letter, we show that the Ma-Chen scheme does not satisfy three security properties: unforgeability, confidentiality and non-repudiation. Introduction: For electronical commercial applications, evidence of possession of documents is especially important. A digital signature is analogous to an ordinary hand-written signature and establishes both of signer authenticity and data integrity assurance. However, it is necessary to keep commercial documents confident to protect the privacy of users in many applications. One simple way to implement such authenticated encryption scheme is to sign and encrypt message separately, first-sign-then-encrypt or first-encrypt-then-sign. This way perhaps results in separation of signature and ciphertext. Other way is to combine signature and encryption together in order to reduce the amount of computational cost and communication overheads. In 1997, Zheng proposed two new combined schemes [1], called signcryption scheme, in which message encryption and digital signature are simultaneously fulfilled in a logically single step. Besides some security shortcomings [2, 3], the Zheng schemes are not efficient as a zero-knowledge proof is required in its non-repudiation protocol. Recently, Ma and Chen proposed a new authenticated encryption scheme with public verifiability [4]. They claimed that their scheme is as efficient as the Zheng signcryption schemes with respect to both computational costs and communication overheads. In addition, their scheme has an efficient non-repudiation procedure without using a zero-knowledge proof protocol. Ma and Chen further claimed that their scheme satisfy three security properties: unforgeability, confidentiality and non-repudiation. In this letter, we would show the Ma-Chen scheme is not only erroneous but also insecure. The honest receiver cannot convince the judge that the valid signature is signed by the true signer, while the dishonest receiver can deceive the judge into believing the forged signature of any message. Moreover, if the scheme is adapted for the case of a long message, it cannot withstand the known plaintext-ciphertext attack. Belief review of the Ma-Chen scheme: Initially, two large primes p and q with q|(p – 1) and an element g ∈ Zp of order q are computed by a trusted third party (TTP for short) and are authenticated to each user. Each user i ∈{A, B} chooses a secret key xi∈ Zqand computes his public key yi = i x g mod p. He publishes yi which is 1 of 4 Tuesday , September 09, 2003

Provably secure encrypt-then-sign composition in hybrid signcryption

Abstract: To make authenticated encryption which provides confidentiality and authenticity of a message simultaneously, a signcryption scheme uses asymmetric primitives, such as an asymmetric encryption scheme for confidentiality and a mature scheme for authentication. Among the signcryption schemes, the hybrid signcryption schemes are the signcryption schemes that use a key agreement scheme to exchange a symmetric encryption key, and then encrypt a plaintext using a symmetric encryption scheme. The hybrid signcryption schemes are specially efficient for signcrypting a bulk data because of its use of a symmetric encryption. Hence to achieve the joint goals of confidentiality and authenticity in most practical implementation, hybrid signcryption schemes are commonly used. In the paper, we study the properties of signcryption and propose a new generic hybrid signcryption scheme called DHEtS using encrypt-then-sign composition method. DHEtS uses a symmetric encryption scheme, a signature scheme, and the DH key agreement scheme. We analyze DHEtS with respect to the properties of signcryption, and show that DHEtS provider non-repudiation and public verifiability. DHEtS is the first promble secure signcryption schemes with public verifiability. If encrypting and signing components of DHEtS can use the same random coins, the computational cost and the size of a signcryption would be greatly reduced. We show the conditions of signing component to achieve randomness-efficiency.

Lower Bound on Linear Authenticated Encryption

Abstract: We show that any scheme to encrypt m blocks of size n bits each, which assures message integrity, is linear in (GF2) n , uses m+k invocations of random functions (from n bits to n bits) and vn bits of randomness, must have k+v at least Ω(logm). This lower bound is proved in a very general model which rules out many promising linear modes of operations for encryption with message integrity. This lower bound is tight as in an earlier paper “Encryption Models with Almost Free Message Integrity”, Proc. Eurocrypt 2001, we show a linear scheme to encrypt m blocks while assuring message integrity by using only m+2+logm invocations of random permutations.

Concealment and its applications to authenticated encryption

Abstract: We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on input m, outputs a hider h and a binder b. Together, h and b allow one to recover m, but separately, (1) the hider h reveals "no information" about m, while (2) the binder b can be "meaningfully opened" by at most one hider h. While setting b = m, h = φ is a trivial concealment, the challenge is to make |b| ≪ |m|, which we call a "non-trivial" concealment. We show that non-trivial concealments are equivalent to the existence of collision-resistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either public- or symmetric-key) designed to work on short messages. We show that concealments are exactly the right abstraction allowing one to use AE for encrypting long messages. Namely, to encrypt "long" m, one uses a concealment scheme to get h and b, and outputs authenticated ciphertext 〈AE(b),h〉. More surprisingly, the above paradigm leads to a very simple and general solution to the problem of remotely keyed (authenticated) encryption (RKAE) [12,13]. In this problem, one wishes to split the task of high-bandwidth authenticated encryption between a secure, but low-bandwidth/computationally limited device, and an insecure, but computationally powerful host. We give formal definitions for RKAE, which we believe are simpler and more natural than all the previous definitions. We then show that our composition paradigm satisfies our (very strong) definition. Namely, for authenticated encryption, the host simply sends a short value b to the device (which stores the actual secret key for AE), gets back AE(b), and outputs 〈AE(b), h〉 (authenticated decryption is similar). Finally, we also observe that the particular schemes of [13,17] are all special examples of our general paradigm.

Provably secure encrypt-then-sign composition in hybrid signcryption

Abstract: To make authenticated encryption which provides confidentiality and authenticity of a message simultaneously, a signcryption scheme uses asymmetric primitives, such as an asymmetric encryption scheme for confidentiality and a mature scheme for authentication. Among the signcryption schemes, the hybrid signcryption schemes are the signcryption schemes that use a key agreement scheme to exchange a symmetric encryption key, and then encrypt a plaintext using a symmetric encryption scheme. The hybrid signcryption schemes are specially efficient for signcrypting a bulk data because of its use of a symmetric encryption. Hence to achieve the joint goals of confidentiality and authenticity in most practical implementation, hybrid signcryption schemes are commonly used. In the paper, we study the properties of signcryption and propose a new generic hybrid signcryption scheme called DHEtS using encrypt-then-sign composition method. DHEtS uses a symmetric encryption scheme, a signature scheme, and the DH key agreement scheme. We analyze DHEtS with respect to the properties of signcryption, and show that DHEtS provider non-repudiation and public verifiability. DHEtS is the first promble secure signcryption schemes with public verifiability. If encrypting and signing components of DHEtS can use the same random coins, the computational cost and the size of a signcryption would be greatly reduced. We show the conditions of signing component to achieve randomness-efficiency.

Authenticated encryption method and apparatus, authenticated encryption program, memory medium having authenticated encryption program stored thereon, authenticated decryption method and apparatus, authenticated decryption program, memory medium having authenticated decryption program stored thereon, denial cancelling method, verifying method, verifier and verification program, and memory medium having the verification program stored thereon

Abstract: PROBLEM TO BE SOLVED: To enable senders and receivers to deny communication contents with respect to a third person but will authorize a receiving person to conduct message authentication and to cancel the denial possibility of the sending person, as needed. SOLUTION: A redundant plain text m' is formed with a plain text m made redundant, a random number 4 is generated from short random number species s, a disturbant h is formed, a signature σ is given to h, and a set of m, r, σ is encrypted and sent to a receiver. For verifying the plain text m and the signature σ about an encryption text with its denial cancelled, the random number r is restored from the opened random number species s to form the redundant plain text m', and the disturbant h is formed from (r, IDb, m'), to verify if the signature σ is correct for the disturbant h, using a public key pks of the sender. COPYRIGHT: (C)2004,JPO

Concealment and its Applications to Authenticated Encryption.

Abstract: We introduce a new cryptographic primitive we call concealment, which is related, but quite different from the notion of commitment. A concealment is a publicly known randomized transformation, which, on inputm, outputs a hider h and a binder b. Together, h and b allow one to recoverm, but separately, (1) the hider h reveals “no information” about m, while (2) the binder b can be “meaningfully opened” by at most one hider h. While setting b = m, h = ∅ is a trivial concealment, the challenge is to make |b| |m|, which we call a “non-trivial” concealment. We show that non-trivial concealments are equivalent to the existence of collision-resistant hash functions. Moreover, our construction of concealments is extremely simple, optimal, and yet very general, giving rise to a multitude of efficient implementations. We show that concealments have natural and important applications in the area of authenticated encryption. Specifically, let AE be an authenticated encryption scheme (either publicor symmetric-key) designed to work on short messages. We show that concealments are exactly the right abstraction allowing one to use AE for encrypting long messages. Namely, to encrypt “long” m, one uses a concealment scheme to get h and b, and outputs authenticated ciphertext 〈AE(b), h〉. More surprisingly, the above paradigm leads to a very simple and general solution to the problem of remotely keyed (authenticated) encryption (RKAE) [12, 13]. In this problem, one wishes to split the task of high-bandwidth authenticated encryption between a secure, but low-bandwidth/computationally limited device, and an insecure, but computationally powerful host. We give formal definitions for RKAE, which we believe are simpler and more natural than all the previous definitions. We then show that our composition paradigm satisfies our (very strong) definition. Namely, for authenticated encryption, the host simply sends a short value b to the device (which stores the actual secret key for AE), gets back AE(b), and outputs 〈AE(b), h〉 (authenticated decryption is similar). Finally, we also observe that the particular schemes of [13, 18] are all special examples of our general paradigm.

Single-path authenticated-encryption scheme based on universal hashing

Abstract: An authenticated-encryption scheme is frequently used to provide a communication both with confidentiality and integrity. For stream ciphers, i.e., an encryption scheme using a cryptographic pseudorandom-number generator, this objective can be achieved by the simple combination of encryption and MAC generation. This naive approach, however, introduces the following drawbacks; the implementation is likely to require two scans of the data, and independent keys for the encryption and MAC generations must be exchanged. The single-path construction of an authenticated-encryption scheme for a stream cipher is advantageous in these two aspects but non-trivial design. In this paper we propose a single-path authenticated-encryption scheme with provable security. This scheme is based on one of the well-known ∈-almost-universal hash functions, the evaluation hash. The encryption and decryption of the scheme can be calculated by single-path operation on a plaintext and a ciphertext. We analyze the security of the proposed scheme and give a security proof, which claims that the security of the proposed scheme can be reduced to that of an underlying PRNG in the indistinguishability from random bits. The security model we use, real-or-random, is one of the strongest notions amongst the four well-known notions for confidentiality, and an encryption scheme with real-or-random sense security can be efficiently reduced to the other three security notions. We also note that the security of the proposed scheme is tight.

On the Security of A Publicly Verifiable Authenticated Encryption

Abstract: Recently, Ma and Chen proposed an efficient authenticated encryption with public verifiability in which the receiver's private key and the message are not divulged during the public verifiability. In this paper, we show that Ma and Chen's scheme does not actually achieve the non-repudiation property.