Showing papers on "Authenticated encryption published in 2008"

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

Abstract: An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the standard notions of privacy IND-CCA and NM-CPA (indistinguishability under chosen-ciphertext attack and nonmalleability under chosen-plaintext attack) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming that the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”

AES Galois Counter Mode (GCM) Cipher Suites for TLS

Abstract: This memo describes the use of the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS) authenticated encryption operation. GCM provides both confidentiality and data origin authentication, can be efficiently implemented in hardware for speeds of 10 gigabits per second and above, and is also well-suited to software implementations. This memo defines TLS ciphersuites that use AES-GCM with RSA, DSS and Diffie-Hellman based key exchange mechanisms.

An Interface and Algorithms for Authenticated Encryption

Abstract: This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]

Encryption Modes with Almost Free Message Integrity

Abstract: We define a new mode of operation for block ciphers which, in addition to providing confidentiality, also ensures message integrity. In contrast, previously for message integrity a separate pass was required to compute a cryptographic message authentication code (MAC). The new mode of operation, called Integrity Aware Parallelizable Mode (IAPM), requires a total of m+1 block cipher evaluations on a plain-text of length m blocks. For comparison, the well-known CBC (cipher block chaining) encryption mode requires m block cipher evaluations, and the second pass of computing the CBC-MAC essentially requires additional m+1 block cipher evaluations. As the name suggests, the new mode is also highly parallelizable.

Bitstream encryption and authentication with AES-GCM in dynamically reconfigurable systems

Abstract: A high-speed and secure dynamic partial reconfiguration (DPR) system is realized with AES-GCM that guarantees both confidentiality and authenticity of FPGA bitstreams. In DPR systems, bitstream authentication is essential for avoiding fatal damage caused by unintended bitstreams. An encryption-only system can prevent bitstream cloning and reverse engineering, but cannot prevent erroneous or malicious bitstreams from being configured. Authenticated encryption is a relatively new concept that provides both message encryption and authentication, and AES-GCM is one of the latest authenticated encryption algorithms suitable for hardware implementation. We implemented the AES-GCM-based DPR system targeting the Virtex-5 device on an off-the-shelf board, and evaluated its throughput and hardware resource utilization. For comparison, we also implemented AES-CBC and SHA-256 modules on the same device. The experimental results showed that the AES-GCM-based system achieved higher throughput with less resource utilization than the AES/SHA-based system. The AES-GCM-module achieved more than 1 Gbps throughput and the entire system achieved about 800 Mbps throughput with reasonable resource utilization. This paper clarifies the advantage of using AES-GCM for protecting DPR systems.

A General Construction of Tweakable Block Ciphers and Different Modes of Operations

Abstract: This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway's TBC construction by working over a ring and by the use of a masking sequence of functions. The ring can be instantiated as either GF or as . Further, over GF, efficient instantiations of the masking sequence of functions can be done using either a binary linear feedback shift register (LFSR); a powering construction; a cellular automata map; or by using a word-oriented LFSR. Rogaway's TBC construction was built from the powering construction over GF. Our second contribution is to use the general TBC construction to instantiate constructions of various modes of operations including authenticated encryption (AE) and message authentication code (MAC). In particular, this gives rise to a family of efficient one-pass AE modes of operation. Out of these, the mode of operation obtained by the use of word-oriented LFSR promises to provide a masking method which is more efficient than the one used in the well known AE protocol called OCB1.

Tweakable Pseudorandom Permutation from Generalized Feistel Structure

Abstract: Tweakable pseudorandom permutations have wide applications such as the disk sector encryption, and the underlying primitive for efficient MACs and authenticated encryption schemes. Goldenberg et al. showed constructions of a tweakable pseudorandom permutation based on the Feistel structure. In this paper, we explore the possibility of designing tweakable pseudorandom permutations based on the Generalized Feistel Structure. We show that tweakable pseudorandom permutations can be obtained without increasing the number of rounds compared to the non-tweakable versions. We also present designs that take multiple tweaks as input.

Authenticated encryption mode for beyond the birthday bound security

Abstract: In this paper, we propose an authenticated encryption mode for blockciphers. Our authenticated encryption mode, CIP, has provable security bounds which are better than the usual birthday bound security. Besides, the proven security bound for authenticity of CIP is better than any of the previously known schemes. The design is based on the encrypt-then-PRF approach, where the encryption part uses a key stream generation of CENC, and the PRF part combines a hash function based on the inner product and a blockcipher.

Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)

Abstract: This memo describes SIV, a block cipher mode of operation. SIV takes a key, a plaintext, and multiple variable-length octet strings which will be authenticated but not encrypted. It produces a ciphertext having the same length as the plaintext and a synthetic initialization vector. Depending on how it is used, SIV achieves either the goal of deterministic authenticated-encryption or the goal of nonce-based, misuse-resistant authenticated-encryption.

Rabbit-MAC: Lightweight Authenticated Encryption in Wireless Sensor Networks

Abstract: In this paper, we propose a new lightweight authenticated encryption mechanism based on Rabbit stream cipher referred to as Rabbit-MAC, for wireless sensor networks (WSNs) that fulfils both requirements of security as well as energy efficiency. Our proposed scheme provides data authentication, confidentiality and integrity in WSNs. We construct a Rabbit based MAC function, which can be used for data authentication and data integrity. Our proposed security protocol is an idea for resource constrained WSNs, and can be widely used in the applications of secure communication where the communication nodes have limited processing and storage capabilities while requiring sufficient levels of security. The features of Rabbit-MAC scheme conclude that this particular scheme might be more efficient than the existing schemes in terms of security and resource consumption.

Bitstream encryption and authentication with AES-GCM in dynamically reconfigurable systems

Abstract: A high-speed and secure dynamic partial reconfiguration (DPR) system is realized with AES-GCM that guarantees both confidentiality and authenticity of FPGA bitstreams. In DPR systems, bitstream authentication is essential for avoiding fatal damage caused by unintended bitstreams. An encryption-only system can prevent bitstream cloning and reverse engineering, but cannot prevent erroneous or malicious bitstreams from being configured. Authenticated encryption is a relatively new concept that provides both message encryption and authentication, and AES-GCM is one of the latest authenticated encryption algorithms suitable for hardware implementation. We implemented the AES-GCM-based DPR system targeting the Virtex-5 device on an off-the-shelf board, and evaluated its throughput and hardware resource utilization. For comparison, we also implemented AES-CBC and SHA-256 modules on the same device. The experimental results showed that the AES-GCM-based system achieved higher throughput with less resource utilization than the AES/SHA-based system. The AES-GCM-module achieved more than 1 Gbps throughput and the entire system achieved about 800 Mbps throughput with reasonable resource utilization. This paper clarifies the advantage of using AES-GCM for protecting DPR systems.

Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol

Abstract: An authenticated encryption algorithm combines encryption and integrity into a single operation; such algorithms may also be referred to as combined modes of an encryption cipher or as combined mode algorithms. This document describes the use of authenticated encryption algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) protocol. The use of two specific authenticated encryption algorithms with the IKEv2 Encrypted Payload is also described; these two algorithms are the Advanced Encryption Standard (AES) in Galois/Counter Mode (AES GCM) and AES in Counter with CBC-MAC Mode (AES CCM). Additional documents may describe the use of other authenticated encryption algorithms with the IKEv2 Encrypted Payload. [STANDARDS-TRACK]

Selectively Convertible Authenticated Encryption in the Random Oracle Model

Abstract: Conventionally, a verified digital signature releases information about both the signing event and the signed content simultaneously, where the signing event proves the truth that someone actually signed something. However, in many cases, the information of the signing event and the signed content have different uses and distinct degrees of importance on various occasions. In such cases, the conventional digital signature, the current authenticated encryption schemes and the current signcryption schemes cannot satisfy the needs of selectively releasing either the information about the signing event or that about the signed content or both depending on the situation. In this paper, we shall propose a selectively convertible authenticated encryption scheme where either the sender or the designated receiver can selectively convert the encryption such that the signing event and that of the signed content can be released adaptively. The security of the scheme is proved in the random oracle model. Applications based on the proposed scheme are also introduced.

A weakness in authenticated encryption schemes based on Tseng et al.'s schemes

Abstract: Tseng et al. have introduced in 2003 an authenticated encryption scheme by using self-certified public keys. Based on this scheme several authors have proposed new signature schemes avoiding some attacks against the original proposal. In this paper we show that there is a weakness on all these schemes affecting both the authentication of the signer’s public key and the own security of the system. We propose a slight but necessary modification to these schemes in order to avoid that weakness.

FPGA implementation of a 2G fibre channel link encryptor with authenticated encryption mode GCM

Abstract: The Galois/counter mode (GCM) algorithm enables fast encryption combined with per-packet message authentication. This paper presents an FPGA implementation of a complete bidirectional 2 Gbps fibre channel link encryptor hosting two area-optimized GCM cores for concurrent authenticated encryption and decryption. The proposed architecture fits into one Xilinx Virtex-4 device. Measurements in a working network link point out that per-packet authentication results in a speed decrease up to 20% of the channel capacity for a reference frame length of 256 bits. Two methods of frame encryption are investigated to reduce the required GCM overhead and to exploit different network configurations.

Unconditionally Secure Steganography Against Active Attacks

Abstract: In this paper, we study unconditionally secure stegosystems against active attacks over an insecure channel in which an adversary can read and write a message. More specifically, we propose an information-theoretic model for steganography in the presence of active adversaries by extending both Simmons' and Cachin's works; and we show a generic construction of stegosystems secure against active attacks by using authenticated encryption in unconditional setting. Although the idea behind this construction is already used in different models (i.e., computational models and/or information-theoretic models with passive adversaries) of steganography, our contribution lies in showing the construction methodology provides provable and unconditional security against active adversaries.

An Authenticated Encryption Mechanism for Secure Group Communication in Grid

Abstract: In grid computing, group communication is an important strategy to realize large-scale information resource sharing. However, it is very difficult to ensure the security of group communication in large-scale grid environment. In this paper, based on the basic theories of threshold signature and the basic characteristics of group communication in grid, we present four algorithms, including keys generating, individual signature generating and verifying, group signature generating and encrypting, decrypting and group signature verifying, which constitute the authenticated encryption mechanism for group communication in grid. Finally, we validate the correctness of the authenticated encryption mechanism proposed in this paper and analyze its security. In addition, the validity of this mechanism is verified by the experiments. The results show that it is efficient to ensure the security of group communication in grid.

A simple and efficient one-pass authenticated encryyption scheme

Abstract: The present invention provides encryption schemes and apparatus, which are more efficient than the existing single pass authenticated encryption schemes, while providing the same level of security. The initial vectors, which are an essential part of these schemes, are chosen in an incremental and safe fashion. This also leads to an incremental method for generating the pair-wise differentially uniform sequences or XOR-universal sequences which are another essential part of such schemes. The incrementality of the generation of these sequences extends to even across different plain-text messages being encrypted, leading to substantial savings in time to encrypt. A further step of encryption is shown to be redundant and leads to savings over earlier schemes. Another embodiment describes splitting the plain-text blocks into two sets, and using the block-cipher in encrypt mode on one set and the block-cipher in decrypt mode on the other set, leading to beneficial hardware solutions.

AES-GCM Cipher Suites for TLS

Abstract: This memo describes the use of the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) as a Transport Layer Security (TLS) authenticated encryption operation. GCM provides both confidentiality and data origin authentication, can be efficiently implemented in hardware for speeds of 10 gigabits per second and above, and is also well-suited to software implementations. This memo defines TLS ciphersuites that use AES-GCM with RSA, DSS and Diffie-Hellman based key exchange mechanisms.

On the Security of two Authenticated Encryption Schemes

Abstract: An authenticated encryption scheme is a message transmission, which sends messages in secure and authentic way. It is very suitable to mobile device. Recently, C.S.Ma and K.F.Chen give a new authenticated encryption scheme, and Hung-Yu Chien also give a convertible authenticated encryption scheme. However, our analysis shows that the two schemes are extremely insecure. The common flaw of the two schemes is forgeability and repudiation. After we give the corresponding attack to the two authenticated encryption schemes respectively, we propose two secure publicly verifiable authenticated encryption schemes to overcome the flaws of MC scheme and Hung-Yu Chien scheme. As for efficiency, the computation cost and communication overhead of our proposed schemes are as small as the two original schemes: the MC scheme and the Hung-Yu Chien scheme. Finally, we give secure proof to the proposed schemes.

Self-Certified Proxy Convertible Authenticated Encryption Scheme

Abstract: A proxy convertible authenticated encryption (CAE) scheme allows an original signer to delegate his signing power to a proxy signer such that the proxy signer can generate an authenticated ciphertext on behalf of the original signer. The generated authenticated ciphertext can only be decrypted and verified by the specific recipient instead of everyone else for the purpose of confidentiality. Integrating with self-certified public key systems, the proposed scheme can save more communication overheads and computation efforts, since it is not necessary to transmit and verify the public key certificate. That is, authenticating the public key can be combined with subsequent cryptographic operations such as the signature verification. In case of a later repudiation, the specific recipient has the ability to convert the signature into an ordinary one for convincing anyone of the signer's dishonesty.

Secure Remote Storage through Authenticated Encryption

Abstract: Storage systems are more distributed and more subject to attacks. Cryptographic file system gives a promising way to mitigate the danger of exposing data by using encryption and integrity protection methods and guarantee end-to-end security to clients. This paper describes SRSAE, a generic approach to cryptographic file system, as well as its realization in a distributed data storage environment. SRSAE applies authenticated encryption to each data block transferred between clients and the remote block devices. It provides strong data confidentiality and integrity protections through trusted IV (initialization vector) and MAC (message authentication code) comparison. Performance is optimized by buffering IV and MAC locally. Integration into original file system is presented with specific implementation. Related model, approach and system realization are elaborated, as well as testing results. Theoretical analysis and experimental simulations show that it is a practical and available way to build secure network storage system.

Message authentication code generation method and authenticated encryption method using stream cipher

Abstract: A message authentication code generation method using a stream cipher, an authentication encryption method using the stream cipher, and an authentication decryption method using the stream cipher are provided to perform an authentication encryption process without using an additional random number generation algorithm. An input message M is divided into k n-bit message blocks. The divided input messages are encrypted by using a key as a result of an exclusive OR operation for a secret key for generating a message authentication code and a number corresponding to the number of blocks of the divided messages. The intermediate calculated values are obtained by using the encrypted input messages. An exclusive OR operation for the intermediate calculated values is performed. A key sequence generation unit encrypts the result of the exclusive OR operation by using the message authentication code key, in order to generate a message authentication code.

Generating a message authentication code from a combination of data representative of plaintext and from ciphertext

Abstract: An authenticated encryption method and apparatus are described in which plaintext data, P, is encrypted, using a secret key, K, to form ciphertext data, C. A message authentication code, MAC, is also formed in dependence on a combination 44 of the ciphertext data, C, and data characteristic of the plaintext data, P', such as a hash 47 of the plaintext data, P. Preferably the combining method is concatenation, however it may also be an exclusive-OR operation. The ciphertext data and the MAC are then output, for example, for storage to a storage medium 46. In a preferred embodiment the data obtained by combining the ciphertext data and the data characteristic of the plaintext is input to a block cipher 45 operating in Galois / Counter Mode (GCM) mode to produce a stored message authentication code dependent on the plaintext data.

Progress in cryptology-AFRICACRYPT 2008 : first international conference on cryptology in Africa, Casablanca, Morocco, June 11-14, 2008 : proceedings

Abstract: AES.- Improving Integral Attacks Against Rijndael-256 Up to 9 Rounds.- Implementation of the AES-128 on Virtex-5 FPGAs.- Analysis of RFID Protocols.- Weaknesses in a Recent Ultra-Lightweight RFID Authentication Protocol.- Differential Cryptanalysis of Reduced-Round PRESENT.- Invited Talk.- The Psychology of Security.- Cryptographic Protocols.- An (Almost) Constant-Effort Solution-Verification Proof-of-Work Protocol Based on Merkle Trees.- Robust Threshold Schemes Based on the Chinese Remainder Theorem.- An Authentication Protocol with Encrypted Biometric Data.- Authentication.- Authenticated Encryption Mode for Beyond the Birthday Bound Security.- Cryptanalysis of the TRMS Signature Scheme of PKC'05.- Public-Key Cryptography.- New Definition of Density on Knapsack Cryptosystems.- Another Generalization of Wiener's Attack on RSA.- An Adaptation of the NICE Cryptosystem to Real Quadratic Orders.- Pseudorandomness.- A Proof of Security in O(2 n ) for the Benes Scheme.- Analysis of Stream Ciphers.- Yet Another Attack on Vest.- Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers.- Correlated Keystreams in Moustique.- Stream Ciphers Using a Random Update Function: Study of the Entropy of the Inner State.- Analysis of Grain's Initialization Algorithm.- Hash Functions.- Password Recovery on Challenge and Response: Impossible Differential Attack on Hash Function.- How (Not) to Efficiently Dither Blockcipher-Based Hash Functions?.- Broadcast Encryption.- Attribute-Based Broadcast Encryption Scheme Made Efficient.- Lower Bounds for Subset Cover Based Broadcast Encryption.- Invited Talk.- A Brief History of Provably-Secure Public-Key Encryption.- Implementation.- On Compressible Pairings and Their Computation.- Twisted Edwards Curves.- Efficient Multiplication in , m???1 and 5???????18.

Integration of Signature Encryption and Key Exchange

Abstract: Signature, encryption and key exchange are some of the most important and foundational cryptographical tool. In most cases, they are all needed to provide different secure functions. There exist called authenticated encryption scheme and signcryption schemes that is the integration of signature and encryption. On the other hand, there are also some proposals on the efficient combination of signature and key exchange. In this paper, we present a protocol that simultaneously realizes all the three functions with a high efficiency and then give a security analysis. The random integer k needed for DH private key is also reused as the encryption key and signature random integer in both entities, which makes our protocol more efficient than current others.