Showing papers on "Authenticated encryption published in 2007"

SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC

Abstract: This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with associated data, and its specialization, GMAC, for generating a message authentication code (MAC) on data that is not encrypted. GCM and GMAC are modes of operation for an underlying approved symmetric key block cipher.

Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC

Abstract: This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with associated data, and its specialization, GMAC, for generating a message authentication code (MAC) on data that is not encrypted. GCM and GMAC are modes of operation for an underlying approved symmetric key block cipher.

Deterministic Authenticated-Encryption A Provable-Security Treatment of the Key-Wrap Problem

Abstract: Standards bodies have been addressing the key-wrap problem, a cryptographic goal that has never received a provable-security treatment. In response, we provide one, giving definitions, constructions, and proofs. We suggest that key-wrap’s goal is security in the sense of deterministic authenticated-encryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipher-based instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IV-based authenticated-encryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuse-resistant AE. We show that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.

Group-Oriented Convertible Authenticated Encryption Scheme with (t, n) Shared Verification

Abstract: Conventional authenticated encryption (AE) schemes put emphasis on the one-to-one setting, which allow one signer to produce an authenticated ciphertext such that only the designated recipient can recover the message and verify its corresponding signature. To meet the need of diversified applications which require simultaneously fulfilling the security requirements of integrity, authenticity, confidentiality and non-repudiation, this paper presents a group-oriented convertible authenticated encryption (CAE) scheme with (t, n) shared verification. Designed mainly for the multi-user setting, the proposed scheme enables one signer to send a confidential message along with the signature to the designated group of n recipients. Any t or more of n designated recipients can cooperatively recover the message and verify its signature while less than or equal to t − 1 can not. Moreover, in case of a later dispute over repudiation, the designated group of recipients has the ability to convert the signature into an ordinary one for convincing anyone of the signer’s dishonesty.

Authenticated relational tables and authenticated skip lists

Abstract: We present a general method, based on the usage of typical DBMS primitives, for maintaining authenticated relational tables. The authentication process is managed by an application external to the DBMS, that stores just one hash information of the authentication structure. The method exploits techniques to represent hierarchical data structures into relational tables and queries that allow an efficient selection of the elements needed for authentication.

Encryption and authentication of data and for decryption and verification of authenticity of data

Abstract: Techniques for encryption and authentication of data. One or more plaintext data blocks ciphertext data blocks and corresponding authentication tags are generated by means of authenticated encryption. A tag tree is generated by means of the authentication tags. The ciphertext data blocks and the tag tree data of the tag tree are stored in an untrusted storage, and the root tag of the tag tree is stored in a trusted storage.

Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)

Abstract: This document specifies the conventions for using the AES-CCM and the AES-GCM authenticated encryption algorithms with the Cryptographic Message Syntax (CMS) authenticated-enveloped-data content type. [STANDARDS-TRACK]

Authenticated Encryption Method and Apparatus

Abstract: An authenticated encryption method and apparatus are described in which plaintext data is encrypted, using a secret key, to form ciphertext data. A message authentication code, MAC, is also formed in dependence on a combination of the ciphertext data and data characteristic of the plaintext data. The ciphertext data and the MAC are then output, for example, for storage to a storage medium. In a preferred embodiment a block cipher operating in GCM mode is adapted to cause the stored message authentication code to be dependent on the plaintext data.

A General Construction of Tweakable Block Ciphers and Different Modes of Operations.

Abstract: This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway’s TBC construction by working over a ring R and by the use of a masking sequence of functions. The ring R can be instantiated as either GF (2) or as ZZ2n . Further, over GF (2 ), efficient instantiations of the masking sequence of functions can be done using either a binary Linear Feedback Shift Register (LFSR); a powering construction; a cellular automata map; or by using a word oriented LFSR. Rogaway’s TBC construction was built from the powering construction over GF (2). Our second contribution is to use the general TBC construction to instantiate constructions of various modes of operations including authenticated encryption (AE) and message authentication code (MAC). In particular, this gives rise to a family of efficient one-pass AE mode of operation. Out of these, the mode of operation obtained by the use of word oriented LFSR promises to provide a masking method which is more efficient than the one used in the well known AE protocol called OCB. 3

High-speed pipelined hardware architecture for Galois counter mode

Abstract: In the authenticated encryption mode GCM (Galois Counter Mode), the CTR (counter) mode for data encryption that has no feedback path can easily be pipelined to boost the operating frequency of a hardware implementation. However, the hash function for the authentication tag generation performs multiply-add operations sequentially by chaining the result in the previous cycle, and this becomes the critical path in the high-speed GCM hardware. Therefore, we propose a high-speed pipelined hardware architecture for GCM in conjunction with a pipelined multiply-adder on a Galois field GF(2128). This architecture was implemented with a 4-stage pipelined multiply-adder and a 56-stage pipelined AES (Advanced Encryption Standard) circuit by using a 0.13-um CMOS standard cell library. This implementation showed very high throughput of 54.94 Gbps with 272 Kgates for the key lengths of 128, 192, and 256 bits. The high hardware efficiency (throughput/gate) of 201.75 Kbps/gate is also an improvement over prior art.

A Parallel Algorithm for determining the inverse of a matrix for use in blockcipher encryption/decryption

Abstract: In the current world that we live in, of rapid growing technology, and especially reliance on the Internet for our daily lively hood (Banking, shopping, entertainment, news), and also with current crimes (Identity-theft, hacking, spyware), computer security is becoming more and more important. By "computer security" we often refer to addressing three important aspects of a computer-related system: Confidentiality, integrity, and availability. Encryption clearly addresses the need for confidentiality of data, both in storage and transmission. However, the use of encryption can be cumbersome and time consuming. It is important to have a fast algorithm to both encrypt and decrypt data as needed. Public key encryption, though secure, is definitely not fast enough to be used for large size data. We introduce a Parallel Algorithm for computation of inverses of matrices modulo n. This is used in conjunction with Block Ciphers and Hill Ciphers in symmetric encryption and decryption of data for transmission on open lines. Experimental studies were done to compare the run-time of this algorithm on parallel machines, to the traditional one. The new algorithm was found to perform much better than the traditional one, and would be useful to use in encryption/decryption of large sensitive data.

Generalization of signcryption for resources‐constrained environments

Abstract: Traditional signcryption is not feasible for some information security scenarios, though it is a new cryptographic primitive that simultaneously fulfills both the functions of signature and encryption. Generalized signcryption is an adaptive primitive which achieves both secrecy and authenticity or provides them respectively by a generic structure. The notions related to generalized signcryption such as syntax, correctness, and security are proposed in the paper. A practical generalized signcryption scheme ECGSC is evaluated carefully also. The formal proofs for the unforgeability and confidentiality of ECGSC in the Random Oracle model are provided. To give a solution for multiple user settings, an efficient multicast scheme is also designed. ECGSC will seamlessly switch to the Elliptic Curve Digital Signature Algorithm (ECDSA) or a provable secure asymmetric encryption scheme when recipient's keys or sender's keys are absent. Compared with other schemes, it saves 9–14% communication costs in the signcryption mode. It also saves 78–82% computational costs. Copyright © 2007 John Wiley & Sons, Ltd.

Device for and method of authenticated cryptography

Abstract: A device for and method of authenticated encryption by concatenating a first user-datum with a second datum, concatenating the first datum with a third datum, encrypting the results, concatenating the encrypted results, concatenating the result with a message and a fifth user-definable datum, hashing the result, concatenating the result with the message, dividing the result into blocks, concatenating the first datum with a sixth datum, generating key-stream blocks from the result using a block cipher in counter mode, combining the blocks and key-stream blocks, concatenating the result with the first datum and the fifth datum, and transmitting the result to a recipient. The recipient extracts the hash value from the received ciphertext, generates a hash value from the first through fifth datums and plaintext derived from the ciphertext, and compares the two. If they match then the plaintext and fifth datum are as the sender intended.

Extended Abstract: Provable-Security Analysis of Authenticated Encryption in Kerberos

Abstract: Kerberos is a widely-deployed network authentication protocol that is being considered for standardization. Many works have analyzed its security, identifying flaws and often suggesting fixes, thus helping the protocol's evolution. Several recent results present successful formal-methods-based verification of a significant portion of the current version 5, and some even imply security in the computational setting. For these results to hold, encryption in Kerberos should satisfy strong cryptographic security notions. However, neither currently deployed as part of Kerberos encryption schemes nor their proposed revisions are known to provably satisfy such notions. We take a close look at Kerberos' encryption and confirm that most of the options in the current version provably provide privacy and authenticity, some with slight modification that we suggest. Our results complement the formal-methods-based analysis of Kerberos that justifies its current design.

Provable-Security Analysis of Authenticated Encryption in Kerberos.

Abstract: Kerberos is a widely deployed network authentication protocol currently being considered for standardization. Many works have analyzed its security, identifying flaws and often suggesting fixes, thus promoting the protocol’s evolution. Several recent results present successful, formal methods-based verifications of a significant portion of the current version, v.5, and some even imply security in the computational setting. For these results to hold, encryption in Kerberos should satisfy strong cryptographic security notions. However, prior to our work, none of the encryption schemes currently deployed as part of Kerberos, nor their proposed revisions, were known to provably satisfy such notions. We take a close look at Kerberos’ encryption, and we confirm that most of the options in the current version provably provide privacy and authenticity, though some require slight modifications which we suggest. Our results complement the formal methods-based analysis of Kerberos that justifies its current design.

Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type

Abstract: This document describes an additional content type for the Cryptographic Message Syntax (CMS). The authenticated-enveloped-data content type is intended for use with authenticated encryption modes. All of the various key management techniques that are supported in the CMS enveloped-data content type are also supported by the CMS authenticated-enveloped-data content type.

Dragon-MAC : Securing Wireless Sensor Network with Authenticated Encryption

Abstract: Sensor networks offer economically viable monitoring solutions for a wide variety of applications. In order to combat the security threats that sensor networks are exposed to, a cryptography protocol is implemented at sensor nodes for point-to-point encryption between nodes. Disclosure, disruption and deception threats can be defeated by authenticating data sources as well as encrypting data in transmission. Given that nodes have limited resources, symmetric cryptography that is proven to be efficient for low power devices is implemented. Data protection is integrated into a sensor’s packet by the means of symmetric encryption with the Dragon stream cipher and incorporating the newly designed Dragon-MAC Message Authentication Code. The proposed algorithm was designed to employ some of the data already computed by the underlying Dragon stream cipher for the purpose of minimizing the computational cost of the operations required by the MAC algorithm. In view that Dragon is a word based stream cipher with a fast key stream generation, it is very suitable for a constrained environment. Our protocol regarded the entity authentication and message authentication through the implementation of authenticated encryption scheme in Telos B wireless sensor nodes.

An Improved Signcryption Scheme and Its Variation

Abstract: Signcryption is a new cryptographic primitive which simultaneously provides both confidentiality and authenticity. This paper proposes an improved signcryption scheme and a variant scheme providing message recovery. The first scheme is revised from an authenticated encryption scheme which has been found to have a security-flaw. Our scheme solves the security-flaw and provides an additional property called the public verifiability of the signature. The second scheme is a message recovery type. It surpasses most of the current signcryption schemes on the size of the signcrypted ciphertext. That is, in our second scheme, we require only two parameters, (r, s), with r epsi Zp and s epsi Z q while most signcryption schemes require three parameters (c, r, s) with the additional parameter c epsi Zp. This second scheme is modified from an authenticated encryption scheme with message recovery and surpasses the based authenticated encryption scheme on the property of non-repudiation of the origin

Low-latency method and apparatus of GHASH operation for authenticated encryption Galois Counter Mode

Abstract: Disclosed is a low-latency method and apparatus of GHASH operation for authenticated encryption Galois Counter Mode (GCM), which simultaneously computes three interim values respectively yielded from the additional authenticated data A, the ciphertext C, and the hash key H defined in the GCM. Then, the output of the GHASH operation may be derived. Assuming that A has m blocks and C has n blocks, this disclosure performs the GHASH operation with max {m,n}+1 steps. The input order for the additional authenticated data A and the ciphertext C may be independent. A disordered sequence for the additional authenticated data A and the ciphertext C may also be accepted by this disclosure. This allows the applications in GCM to be more flexible.

Construction of a Hybrid HIBE Protocol Secure Against Adaptive Attacks

Abstract: We describe a hybrid hierarchical identity based encryption (HIBE) protocol which is secure in the full model without using the random oracle heuristic and whose security is based on the computational hardness of the decisional bilinear Diffie-Hellman (DBDH) problem. The new protocol is obtained by augmenting a previous construction of a HIBE protocol which is secure against chosen plaintext attacks (CPA-secure). The technique for answering decryption queries in the proof is based on earlier work by Boyen-Mei-Waters. Ciphertext validity testing is done indirectly through a symmetric authentication algorithm in a manner similar to the Kurosawa-Desmedt public key encryption protocol. Additionally, we perform symmetric encryption and authentication by a single authenticated encryption algorithm. A net result of all these is that our construction improves upon previously known constructions in the same setting.

Construction of a hybrid HIBE protocol secure against adaptive attacks: without random oracle

Abstract: We describe a hybrid hierarchical identity based encryption (HIBE) protocol which is secure in the full model without using the random oracle heuristic and whose security is based on the computational hardness of the decisional bilinear Diffie-Hellman (DBDH) problem. The new protocol is obtained by augmenting a previous construction of a HIBE protocol which is secure against chosen plaintext attacks (CPA-secure). The technique for answering decryption queries in the proof is based on earlier work by Boyen-Mei-Waters. Ciphertext validity testing is done indirectly through a symmetric authentication algorithm in a manner similar to the Kurosawa-Desmedt public key encryption protocol. Additionally, we perform symmetric encryption and authentication by a single authenticated encryption algorithm. A net result of all these is that our construction improves upon previously known constructions in the same setting.

A New Authenticated Encryption Scheme with Public Verifiability

Abstract: a new authenticated encryption scheme is proposed based on the discrete logarithm.The scheme bearing following characteristics: any third parties can identify its signatures to realize public verifiability;it reducing the computing complexity and band-width occupation;the timestamp has been adopted which could resist the arrack of continuously serding cryptograph.

The Security of the IAPM and IACBC Modes

Abstract: We give new and shorter proofs for message integrity and confidentiality of the IAPM mode and of the IACBC mode proposed by Jutla.

Cryptanalysis of the EPBC authenticated encryption mode

Abstract: A large variety of methods for using block ciphers, so called 'modes of operation', have been proposed, including some designed to provide both confidentiality and integrity protection. Such modes, usually known as 'authenticated encryption' modes, are increasingly important given the variety of issues now known with the use of unauthenticated encryption. In this paper we show that a mode known as EPBC (Efficient error-Propagating Block Chaining), proposed in 1997 by Zuquete and Guedes, is insecure. Specifically we show that given a modest amount of known plaintext for a single enciphered message, new enciphered messages can be constructed which will pass tests for authenticity. That is, we demonstrate a message forgery attack.

Efficient ID-based multi-decrypter encryption with short ciphertexts

Abstract: Multi-decrypter encryption is a typical application in multi-user cryptographic branches. In multi-decrypter encryption, a message is encrypted under multiple decrypters' public keys in the way that only when all the decrypters cooperate, can the message be read. However, trivial implementation of multi-decrypter encryption using standard approaches leads to heavy computation costs and long ciphertext which grows as the receiver group expands. This consumes much precious bandwidth in wireless environment, such as mobile ad hoc network. In this paper, we propose an efficient identity based multi-decrypter encryption scheme, which needs only one or zero (if precomputed) pairing computation and the ciphertext contains only three group elements no matter how many the receivers are. Moreover, we give a formal security definition for the scheme, and prove the scheme to be chosen ciphertext secure in the random oracle model, and discuss how to modify the scheme to resist chosen ciphertext attack.

A new method of enhancing telecommand security: the application of GCM in TC protocol

Abstract: In recent times, security has grown to a topic of major importance for the space missions. Many space agencies have been engaged in research on the selection of proper algorithms for ensuring Telecommand security according to the space communication environment, especially in regard to the privacy and authentication. Since space missions with high security levels need to ensure both privacy and authentication, Authenticated Encryption with Associated Data schemes (AEAD) be integrated into normal Telecommand protocols. This paper provides an overview of the Galois Counter Mode (GCM) of operation, which is one of the available two-pass AEAD schemes, and some preliminary considerations and analyses about its possible application to Telecommand frames specified by CCSDS.

Patent-Free Authenticated-Encryption As Fast As OCB

Abstract: This paper presents an efficient authenticated encryption construction based on a universal hash function and block cipher. Encryption is achieved via counter-mode while authentication uses the Wegman-Carter paradigm. A single block-cipher key is used for both operations. The construction is instantiated using the hash functions of UMAC and VMAC, resulting in authenticated encryption with peak performance about ten percent slower than encryption alone.

Cryptography and coding : 11th IMA International Conference Cirencester, UK, December 18-20, 2007 : proceedings

Abstract: Invited Papers.- Efficient Cryptographic Protocols Based on the Hardness of Learning Parity with Noise.- Galois Rings and Pseudo-random Sequences.- Signatures I.- Finding Invalid Signatures in Pairing-Based Batches.- How to Forge a Time-Stamp Which Adobe's Acrobat Accepts.- Efficient Computation of the Best Quadratic Approximations of Cubic Boolean Functions.- On the Walsh Spectrum of a New APN Function.- Non-linear Cryptanalysis Revisited: Heuristic Search for Approximations to S-Boxes.- Cryptanalysis of the EPBC Authenticated Encryption Mode.- Blockwise-Adaptive Chosen-Plaintext Attack and Online Modes of Encryption.- Algebraic Cryptanalysis of the Data Encryption Standard.- Cryptographic Side-Channels from Low-Power Cache Memory.- New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures.- Remarks on the New Attack on the Filter Generator and the Role of High Order Complexity.- Modified Berlekamp-Massey Algorithm for Approximating the k-Error Linear Complexity of Binary Sequences.- Efficient KEMs with Partial Message Recovery.- Randomness Reuse: Extensions and Improvements.- On the Connection Between Signcryption and One-Pass Key Establishment.- Optimised Versions of the Ate and Twisted Ate Pairings.- Extractors for Jacobian of Hyperelliptic Curves of Genus 2 in Odd Characteristic.- Constructing Pairing-Friendly Elliptic Curves Using Grobner Basis Reduction.- Efficient 15,360-bit RSA Using Woop-Optimised Montgomery Arithmetic.- Toward Acceleration of RSA Using 3D Graphics Hardware.- Signatures II.- Multi-key Hierarchical Identity-Based Signatures.- Verifier-Key-Flexible Universal Designated-Verifier Signatures.

A Publicly Verifiable Authenticated Encryption Scheme Without using One-Way Hash Function

Abstract: Most of currently publicly verifiable authenticated encryption schemes based on the conventional one-way Hash function have a security hole that these schemes are vulnerable to the universal forgery attack. The security weakness of Ma-Chen's publicly verifiable authenticated encryption scheme has been shown in this paper. In order to overcome this problem, without using any conventional one-way hash function we proposed an improved scheme based on only the Discrete Logarithm Problem(DLP). Further, the proposed scheme is more efficient than Ma-Chen's in terms of the computation cost.