Showing papers on "Authenticated encryption published in 2011"
11 Aug 2011
TL;DR: In this paper, the authors proposed a duplex construction, which is closely related to the sponge construction, that accepts message blocks to be hashed and provides digests on the input blocks received so far.
Abstract: This paper proposes a novel construction, called duplex, closely related to the sponge construction, that accepts message blocks to be hashed and---at no extra cost---provides digests on the input blocks received so far. It can be proven equivalent to a cascade of sponge functions and hence inherits its security against single-stage generic attacks. The main application proposed here is an authenticated encryption mode based on the duplex construction. This mode is efficient, namely, enciphering and authenticating together require only a single call to the underlying permutation per block, and is readily usable in, e.g., key wrapping. Furthermore, it is the first mode of this kind to be directly based on a permutation instead of a block cipher and to natively support intermediate tags. The duplex construction can be used to efficiently realize other modes, such as a reseedable pseudo-random bit sequence generators and a sponge variant that overwrites part of the state with the input block rather than to XOR it in.
313 citations
26 Jun 2011
TL;DR: The Hummingbird-2 algorithm, its design and security arguments, performance analysis on both software and hardware platforms, and timing analysis in relation to the ISO 18000-6C protocol are presented.
Abstract: Hummingbird-2 is an encryption algorithm with a 128-bit secret key and a 64-bit initialization vector. Hummingbird-2 optionally produces an authentication tag for each message processed. Like it's predecessor Hummingbird-1, Hummingbird-2 has been targeted for low-end microcontrollers and for hardware implementation in lightweight devices such as RFID tags and wireless sensors. Compared to the previous version of the cipher, and in response to extensive analysis, the internal state has been increased to 128 bits and a flow of entropy from the state to the mixing function has been improved. In this paper we present the Hummingbird-2 algorithm, its design and security arguments, performance analysis on both software and hardware platforms, and timing analysis in relation to the ISO 18000-6C protocol.
155 citations
04 Dec 2011
TL;DR: It is shown that when tags are longer, the TLS Record Protocol meets a new length-hiding authenticated encryption security notion that is stronger than IND-CCA.
Abstract: We analyze the security of the TLS Record Protocol, a MAC-then-Encode-then-Encrypt (MEE) scheme whose design targets confidentiality and integrity for application layer communications on the Internet. Our main results are twofold. First, we give a new distinguishing attack against TLS when variable length padding and short (truncated) MACs are used. This combination will arise when standardized TLS 1.2 extensions (RFC 6066) are implemented. Second, we show that when tags are longer, the TLS Record Protocol meets a new length-hiding authenticated encryption security notion that is stronger than IND-CCA.
147 citations
11 Aug 2011
TL;DR: A natural, but non-tight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multi-user setting is examined, finding deficiencies in the security assurances provided by non- Tight Proofs including ones for network authentication and aggregate MACs.
Abstract: We examine a natural, but non-tight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multi-user setting. If security parameters for the MAC scheme are selected without accounting for the non-tightness in the reduction, then the MAC scheme is shown to provide a level of security that is less than desirable in the multi-user setting. We find similar deficiencies in the security assurances provided by non-tight proofs when we analyze some protocols in the literature including ones for network authentication and aggregate MACs. Our observations call into question the practical value of non-tight reductionist security proofs. We also exhibit attacks on authenticated encryption schemes, disk encryption schemes, and stream ciphers in the multi-user setting.
62 citations
03 Dec 2011
TL;DR: An CP2-ABSC construction from pairings which is more efficient than the combination of CP-ABE and CP-Abs that provide the same functionality of authenticated encryption is proposed.
Abstract: We propose a new notion called attribute-based sign-cryption with cipher text-policy and claim-predicate mechanism (CP2-ABSC), which is inspired by the recent developments in attribute-based encryption and attribute-based signature. In this notion, a signcrypting party, who possesses a set of attributes from the authority, can sign a message with a claim-predicate that is satisfied by his attributes, and encrypt it with an access policy stating what kind of receivers will be able to decrypt the message. As in ciphertext-policy attribute-based encryption (CP-ABE), a user will only be able to decrypt a signcrypted message if that user's attributes satisfy the access policy associated to the signcrypted message. As in attribute-based signature with claim-predicate mechanism (CP-ABS), a unsigncrypting party can verify the authenticity of the signcrypted message against the claim-predicate over signcrypting party's attributes. We give the formal definition and security model of CP2-ABSC, and propose an CP2-ABSC construction from pairings which is more efficient than the combination of CP-ABE and CP-ABS that provide the same functionality of authenticated encryption. The proposed CP2-ABSC scheme is proved to be secure in the generic group model and random oracle model.
42 citations
Patent•
11 Oct 2011
TL;DR: In this paper, the authors proposed a framework for authenticated encryption for digital signatures with message recovery whereby authentication is achieved without a redundancy requirement, and the Elliptic Curve Pintsov-Vanstone Signature scheme is modified through the use of authenticated encryption, thereby enabling authentication using a message authentication code (1028).
Abstract: A framework is proposed for authenticated encryption for digital signatures with message recovery whereby authentication is achieved without a redundancy requirement. The Elliptic Curve Pintsov-Vanstone Signature scheme is modified through the use of authenticated encryption, thereby enabling authentication using a message authentication code (1028). The authenticated encryption may be performed within a single function or as two separate functions. The authenticated encryption may also be applied to associated data in the message (104) to be signed.
33 citations
19 Dec 2011
TL;DR: This paper presents an Authenticated Encryption (AE) based security framework for NoC based systems that resides in Network Interface of every secure IP core allowing secure communication among such IP cores.
Abstract: Network on Chip (NoC) is an emerging solution to the existing scalability problems with SoC. However it is exposed to security threats like extraction of secret information from IP cores. In this paper we present an Authenticated Encryption (AE) based security framework for NoC based systems. The security framework resides in Network Interface (NI) of every secure IP core allowing secure communication among such IP cores. We simulated and implemented our framework using Verilog/VHDL modules on top of NoCem emulator. The results showed tolerable area overhead and did not affect the network performance apart from some initial latency.
29 citations
11 Aug 2011
TL;DR: It is argued that ASC-1 is secure by reducing its (IND-CCA, INT-CTXT) security to the problem of distinguishing the case when the round keys are uniformly random from the caseWhen the round key are generated by a key scheduling algorithm.
Abstract: The goal of the modes of operation for authenticated encryption is to achieve faster encryption and message authentication by performing both the encryption and the message authentication in a single pass as opposed to the traditional encrypt-then-mac approach, which requires two passes. Unfortunately, the use of a block cipher as a building block limits the performance of the authenticated encryption schemes to at most one message block per block cipher evaluation.
In this paper, we propose the authenticated encryption scheme ASC-1 (Authenticating Stream Cipher One). Similarly to LEX, ASC-1 uses leak extraction from different AES rounds to compute the key material that is XOR-ed with the message to compute the ciphertext. Unlike LEX, the ASC-1 operates in a CFB fashion to compute an authentication tag over the encrypted message. We argue that ASC-1 is secure by reducing its (IND-CCA , INT-CTXT) security to the problem of distinguishing the case when the round keys are uniformly random from the case when the round keys are generated by a key scheduling algorithm.
27 citations
TL;DR: This paper discusses the example implementation of proposed GHASH modifications using above instructions and shows that, when N multipliers are used, and the multipliers use the approach of multiplying polynomials then applying a modular reduction, a single modular reduction can be used instead on N separate operations.
Abstract: The level of interest in Galois Counter Mode (GCM) Authenticated Encryption rose significantly within the last few years. GCM is interesting because it is the only authenticated encryption standard that can be implemented in a fully pipelined or parallelized way and it is the most appropriate for encrypting packetized data. McGrew and Viega [CHECK END OF SENTENCE] described (but did not detail) how GHASH can be implemented with more than one multiplier operating in parallel. This paper details how that can be done and shows that, when N multipliers are used, and the multipliers use the approach of multiplying polynomials then applying a modular reduction, a single modular reduction can be used instead on N separate operations. This optimization can be used even when there is a single multiplier, which makes this implementation strategy have a broader appeal. Recently Intel has introduced new ISA instructions into the next generation CPU core, namely: AES family and PCLMULQDQ operating in XMM registers domain. In this paper, we discuss the example implementation of proposed GHASH modifications using above instructions.
25 citations
04 Oct 2011
TL;DR: This paper identifies Authenticated Encryption with Associated Data (AEAD) schemes suitable for WSNs and by evaluating their features and performance on TelosB sensor nodes and identifies the recommended choices depending on the characteristics of the target network.
Abstract: Security is an important concern in any modern network. This also applies to Wireless Sensor Networks (WSNs), especially those used in applications that monitor sensitive information (e.g., health care applications). However, the highly constrained nature of sensors impose a difficult challenge: their reduced availability of memory, processing power and energy hinders the deployment of many modern cryptographic algorithms considered secure. For this reason, the choice of the most memory-, processing- and energy-efficient security solutions is of vital importance in WSNs. To date, several authors have developed extensive analyses comparing different encryption algorithms and key management schemes, while very little attention has been given to message authentication mechanisms. In this paper, we address this issues by identifying Authenticated Encryption with Associated Data (AEAD) schemes suitable for WSNs and by evaluating their features and performance on TelosB sensor nodes. As a result of this analysis, we identify the recommended choices depending on the characteristics of the target network.
24 citations
14 Aug 2011
TL;DR: A RO-based transform RHtE is presented that endows any AE scheme with this security, so that existing implementations may be easily upgraded to have the best possible seurity in the presence of key-dependent data.
Abstract: This paper provides a comprehensive treatment of the security of authenticated encryption (AE) in the presence of key-dependent data, considering the four variants of the goal arising from the choice of universal nonce or random nonce security and presence or absence of a header. We present attacks showing that universal-nonce security for key-dependent messages is impossible, as is security for key-dependent headers, not only ruling out security for three of the four variants but showing that currently standarized and used schemes (all these target universal nonce security in the presence of headers) fail to provide security for key-dependent data. To complete the picture we show that the final variant (random-nonce security in the presence of key-dependent messages but key-independent headers) is efficiently achievable. Rather than a single dedicated scheme, we present a RO-based transform RHtE that endows any AE scheme with this security, so that existing implementations may be easily upgraded to have the best possible seurity in the presence of key-dependent data. RHtE is cheap, software-friendly, and continues to provide security when the key is a password, a setting in which key-dependent data is particularly likely. We go on to give a key-dependent data treatment of the goal of misuse resistant AE. Implementations are provided and show that RHtE has small overhead.
27 Feb 2011
TL;DR: The SHA HMAC-based bitstream authentication algorithm and protocol in Virtex-6 FPGAs are described and shown how they are integrated in the bitstream.
Abstract: FPGA bitstream encryption blocks theft of the design in the FPGA bitstream by preventing unauthorized copy and reverse engineering. By itself, encryption does not protect against tampering with the bitstream, so without additional capabilities, bitstream encryption cannot prevent the FPGA from executing an unauthorized bitstream. An unauthorized bitstream might be generated by trial and error to cause the FPGA to leak confidential data, including the decrypted bitstream. Strong authentication detects tampering with the bitstream, providing a root of trust that enables applications that require protection of sensitive data in a hostile environment. This paper describes the SHA HMAC-based bitstream authentication algorithm and protocol in Virtex-6 FPGAs and shows how they are integrated in the bitstream.
TL;DR: In this article, the authors take a close look at Kerberos' encryption, and confirm that most of the options in the current version provably provide privacy and authenticity, although some require slight modifications which they suggest.
Abstract: Kerberos is a widely deployed network authentication protocol currently being considered for standardisation. Many works have analysed its security, identifying flaws and often suggesting fixes, thus promoting the protocol's evolution. Several recent results present successful, formal methods-based verifications of a significant portion of the current version, v.5 and some even imply security in the computational setting. For these results to hold, encryption in Kerberos should satisfy strong cryptographic security notions. However, prior to the authors' work, none of the encryption schemes currently deployed as part of Kerberos, nor their proposed revisions, were known to provably satisfy such notions. The authors take a close look at Kerberos' encryption, and they confirm that most of the options in the current version provably provide privacy and authenticity, although some require slight modifications which they suggest. The authors' results complement the formal methods-based analysis of Kerberos that justifies its current design.
Posted Content•
TL;DR: In this paper, a natural, but non-tight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multi-user setting is presented. But the security parameters for the MAC scheme are selected without accounting for the nontightness in the reduction.
Abstract: We examine a natural, but non-tight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multi-user setting. If security parameters for the MAC scheme are selected without accounting for the non-tightness in the reduction, then the MAC scheme is shown to provide a level of security that is less than desirable in the multi-user setting. We find similar deficiencies in the security assurances provided by non-tight proofs when we analyze some protocols in the literature including ones for network authentication and aggregate MACs. Our observations call into question the practical value of non-tight reductionist security proofs. We also exhibit attacks on authenticated encryption schemes, disk encryption schemes, and stream ciphers in the multi-user setting.
03 Dec 2011
TL;DR: A 512-bit message authentication code generated by a keyed hash function is embedded into the image by reversible data embedding technique and plays the role of authentication but also contributes to the image encryption.
Abstract: In this paper, a fast image encryption and authentication scheme is presented. In the proposed scheme, a 512-bit message authentication code generated by a keyed hash function is embedded into the image by reversible data embedding technique. Then the embedded image is masked by the pseudo random sequence in feedback mode. The embedded message authentication code not only plays the role of authentication but also contributes to the image encryption. The algorithm can effectively resist against chosen-plaintext attack or known-plaintext attack. Theoretical analysis and computer simulation indicate that our algorithm is efficient and highly secure.
TL;DR: This paper demonstrates that their CAE scheme is vulnerable to the chosen-plaintext attack and proposes an improved variant that achieves confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and unforgeability against existential forgery under adaptive choosing-message attacks (EF-CMA).
TL;DR: This work proposes a novel identity-based key-insulated convertible multi-authenticated encryption scheme (IB-KI-CMAE), which can effectively reduce the impact caused by the key exposure, and formally proves that the proposed scheme achieves the security requirement of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks.
TL;DR: A decentralized and self-healing secure multicast framework is proposed, which is based on the new multi-hop proxy encryption, in order to address the unique vulnerabilities of wireless mesh network.
TL;DR: This paper proposes the first novel identity-based key-insulated CAE (IB-KICAE) scheme from pairings and can effectively mitigate the impact caused by key exposure, as each user can periodically update his private key while the corresponding public one remains unchanged.
Abstract: For securing confidential applications such as credit card transactions, on-line auctions and business contract signing, etc., a convertible authenticated encryption (CAE) scheme simultaneously satisfying the properties of authenticity, confidentiality and non-repudiation is a better choice. By combining the advantages of identity-based systems and key-insulated ones, in this paper, we propose the first novel identity-based key-insulated CAE (IB-KICAE) scheme from pairings. Integrating with key-insulated systems, our scheme can effectively mitigate the impact caused by key exposure, as each user can periodically update his private key while the corresponding public one remains unchanged. The proposed scheme is conversion-free and supports unbounded time periods and random-access key-updates. Moreover, to guarantee its practical feasibility, the essential security requirement of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and that of unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) are realized in the random oracle model.
19 Oct 2011
TL;DR: An implementation of the Galois/Counter Mode (GCM) for the Advanced Encryption Standard (AES) in IPsec is presented and a technique where these encryptions are precomputed on a Graphic Processing Unit (GPU) and can later be used to encrypt the plaintext.
Abstract: We are presenting an implementation of the Galois/Counter Mode (GCM) for the Advanced Encryption Standard (AES) in IPsec in this paper. GCM is a so called "authenticated encryption" as it can ensure confidentiality, integrity and authentication. It uses the Counter Mode for encryption, therefore counters are encrypted for an exclusive-OR with the plaintext. We describe a technique where these encryptions are precomputed on a Graphic Processing Unit (GPU) and can later be used to encrypt the plaintext, whereupon only the exclusive-OR and authentication part of GCM are left to be computed. This technique should primarily not limit the performance to the speed of the AES implementation but allow Gigabit throughput and at the same time minimize the CPU load.
Posted Content•
TL;DR: An improvement of the Hwang et al.'s authenticated encryption scheme is given, which not only solves the security issue of the original scheme, but also maintains its efficiency.
Abstract: Authenticated encryption schemes are very useful for private and authenticated communication. In 2010, Rasslan and Youssef showed that the Hwang et al.'s authenticated encryption scheme is not secure by presenting a message forgery attack. However, Rasslan and Youssef did not give how to solve the security issue. In this letter, we give an improvement of the Hwang et al.'s scheme. The improved scheme not only solves the security issue of the original scheme, but also maintains its efficiency.
Posted Content•
TL;DR: The Hummingbird-2 as mentioned in this paper is an encryption algorithm with a 128-bit secret key and a 64-bit initialization vector, which is targeted for low-end microcontrollers and for hardware implementation in lightweight devices such as RFID tags and wireless sensors.
Abstract: Hummingbird-2 is an encryption algorithm with a 128-bit secret key and a 64-bit initialization vector. Hummingbird-2 optionally produces an authentication tag for each message processed. Like it’s predecessor Hummingbird-1, Hummingbird-2 has been targeted for low-end microcontrollers and for hardware implementation in lightweight devices such as RFID tags and wireless sensors. Compared to the previous version of the cipher, and in response to extensive analysis, the internal state has been increased to 128 bits and a flow of entropy from the state to the mixing function has been improved. In this paper we present the Hummingbird-2 algorithm, its design and security arguments, performance analysis on both software and hardware platforms, and timing analysis in relation to the ISO 18000-6C protocol.
Posted Content•
TL;DR: In this paper, the authors show that the Galois/Counter Mode (GCM) of GCM can support much wider classes of weak keys in its 512 multiplicative subgroups.
Abstract: The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide single-pass authenticated encryption. The GHASH authentication component of GCM belongs to a class of Wegman-Carter polynomial universal hashes that operate in the field GF (2). GCM uses the same block cipher key K to both encrypt data and to derive the generator H of the authentication polynomial. In present literature, only the trivial weak key H = 0 has been considered. In this note we show that GHASH has much wider classes of weak keys in its 512 multiplicative subgroups, analyze some of their properties, and give experimental results when GCM is used with the AES algorithm.
Posted Content•
TL;DR: This work describes a systematic framework for using a stream cipher supporting an initialisation vector (IV) to perform various tasks of authentication and authenticated encryption, including message authentication code (MAC, AE, AEAD and DAE(AD), and proposes methods to efficiently extend such hash functions to take double inputs and more generally multiple inputs.
Abstract: We describe a systematic framework for using a stream cipher supporting an initialisation vector (IV) to perform various tasks of authentication and authenticated encryption. These include message authentication code (MAC), authenticated encryption (AE), authenticated encryption with associated data (AEAD) and deterministic authenticated encryption (DAE) with associated data. Several schemes are presented and rigourously analysed. A major component of the constructions is a keyed hash function having provably low collision and differential probabilities. Methods are described to efficiently extend such hash functions to take double inputs and more generally multiple inputs. In particular, double-input hash functions are required for the construction of AEAD schemes. An important practical aspect of our work is that a designer can combine off-the-shelf stream ciphers with off-the-shelf hash functions to obtain secure primitives for MAC, AE, AEAD and DAE(AD).
Posted Content•
TL;DR: McOE-X and McOE-G as discussed by the authors are two block-cipher-based OAE schemes that are provably secure against noncerespecting and general adversaries.
Abstract: On-Line Authenticated Encryption (OAE) combines privacy with data integrity and is on-line computable. Most block-cipher-based schemes for Authenticated Encryption can be run on-line and are provably secure against nonce-respecting adversaries. But they fail badly for more general adversaries. This is not a theoretical observation only – in practice, the reuse of nonces is a frequent issue. In recent years, cryptographers developed misuse-resistant schemes for Authenticated Encryption. These guarantee excellent security even against general adversaries which are allowed to reuse nonces. But they can not perfom on-line encryption. This work introduces a new family of OAE schemes –called McOE– dealing both with noncerespecting and with general adversaries. Furthermore, we present two block-cipher-based family members, i.e., McOE-X and McOE-G. In contrast to other published OAE, they provably guarantee reasonable security against general adversaries as well as standard security against noncerespecting adversaries.
01 Jun 2011
TL;DR: This paper proposes a means of implementing TLS-SA using a GAA bootstrapped key, a simple instantiation of the scheme which makes the password authentication mechanism SSL/TLS session-aware; in addition it describes two possible variants that give security-efficiency trade-offs.
Abstract: Most SSL/TLS-based electronic commerce (e-commerce) applications (including Internet banking) are vulnerable to man in the middle attacks. Such attacks arise since users are often unable to authenticate a server effectively, and because user authentication methods are typically decoupled from SSL/TLS session establishment. Cryptographically binding the two authentication procedures together, a process referred to here as SSL/TLS session-aware user authentication (TLS-SA), is a lightweight and effective countermeasure. In this paper we propose a means of implementing TLS-SA using a GAA bootstrapped key. The scheme employs a GAA-enabled user device with a display and an input capability (e.g. a 3G mobile phone) and a GAA-aware server. We describe a simple instantiation of the scheme which makes the password authentication mechanism SSL/TLS session-aware; in addition we describe two possible variants that give security-efficiency trade-offs. Analysis shows that the scheme is effective, secure and scalable. Moreover, the approach fits well to the multi-institution scenario.
TL;DR: This paper presents an attack that allows a dishonest referee, in case of a dispute, to decrypt all the future and past authenticated ciphertext between the contended parties and presents a simple fix to prevent this attack.
31 Oct 2011
TL;DR: This document defines how AES-GCM, AES-CCM, and other Authenticated Encryption with Associated Data (AEAD) algorithms, can be used to provide confidentiality and data authentication mechanisms in the SRTP protocol.
Abstract: This document defines how AES-GCM, AES-CCM, and other Authenticated
Encryption with Associated Data (AEAD) algorithms, can be used to
provide confidentiality and data authentication mechanisms in the SRTP
protocol.
21 Sep 2011
TL;DR: This paper proposes an improvement of HWang et al.'s scheme that can withstand Rasslan et al.'s proposed message forgery attacks and was added conversion phase to provide non-repudiation when the signer repudiates his/her signature.
Abstract: An authenticated encryption scheme is very useful for transmitting a confidential message in insecure communication networks. In 2010, Rasslan et al.'s pointed out that HWang et al.'s authenticated encryption scheme is not secure by presenting another message forgery attack. However, Rasslan et al. do not proposed a countermeasure of the HWang et al.'s scheme. This paper proposes an improvement of HWang et al.'s scheme that can withstand Rasslan et al.'s proposed message forgery attacks. Unlike HWang et al.'s scheme, the proposed scheme was added conversion phase to provide non-repudiation when the signer repudiates his/her signature. As a result, the proposed scheme is more practical than HWang et al.'s scheme because it not only provides computational efficiency but also achieves all security requirements.