Authenticated encryption

About: Authenticated encryption is a research topic. Over the lifetime, 1328 publications have been published within this topic receiving 25968 citations. The topic is also known as: AEAD & Authenticated Encryption with Associated Data.

Cube Attack on a Trojan-Compromised Hardware Implementation of Ascon

Abstract: Ascon algorithm was selected in 2019, in the CAESAR competition as the first option for lightweight applications as an alternative to AES-GCM for authenticated encryption. As with other encryption algorithms, Ascon relies on some parameters and security assumptions to guarantee its security. For example, if the number of rounds of the initialization phase of the encryption is reduced, the key can be obtained using a cube attack. In this work we describe how by inserting a hardware trojan with low overhead in a hardware implementation of Ascon, it is possible to reduce the number of rounds of its initialization stage and perform a cube attack in order to obtain the key in 94 seconds on average.

Authenticated encryption primitives for size-constrained trusted computing

Abstract: Trusted execution environments (TEEs) are widely deployed both on mobile devices as well as in personal computers TEEs typically have a small amount of physically secure memory but they are not enough to realize certain algorithms, such as authenticated encryption modes, in the standard manner TEEs can however access the much larger but untrusted system memory using which "pipelined" variants of these algorithms can be realized by gradually reading input from, and/or writing output to the untrusted memory In this paper, we motivate the need for pipelined variants of authenticated encryption modes in TEEs, describe a pipelined version of the EAX mode, and prove that it is as secure as standard, "baseline", EAX We point out potential pitfalls in mapping the abstract description of a pipelined variant to concrete implementation and discuss how these can be avoided We also discuss other algorithms which can be adapted to the pipelined setting and proved correct in a similar fashion

ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS 1.2 and DTLS 1.2

Abstract: This document defines several new cipher suites for the Transport Layer Security (TLS) protocol version 12 The cipher suites are all based on the Ephemeral Elliptic Curve Diffie-Hellman with Pre-Shared Key (ECDHE_PSK) key exchange together with the Authenticated Encryption with Associated Data (AEAD) algorithms AES-GCM and AES- CCM PSK provides light and efficient authentication, ECDHE provides forward secrecy, and AES-GCM and AES-CCM provides encryption and integrity protection

A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer.

Abstract: Drawing on earlier protocol-verification work, we investigate the security of the QUIC record layer, as standardized by the IETF in draft version 30. This version features major differences compared to Google’s original protocol and early IETF drafts. It serves as a useful test case for our verification methodology and toolchain, while also, hopefully, drawing attention to a little studied yet crucially important emerging standard.We model QUIC packet and header encryption, which uses a custom construction for privacy. To capture its goals, we propose a security definition for authenticated encryption with semi-implicit nonces. We show that QUIC uses an instance of a generic construction parameterized by a standard AEAD-secure scheme and a PRF-secure cipher. We formalize and verify the security of this construction in F. The proof uncovers interesting limitations of nonce confidentiality, due to the malleability of short headers and the ability to choose the number of least significant bits included in the packet counter. We propose improvements that simplify the proof and increase robustness against strong attacker models. In addition to the verified security model, we also give a concrete functional specification for the record layer, and prove that it satisfies important functionality properties (such as the correct successful decryption of encrypted packets) after fixing more errors in the draft. We then provide a high-performance implementation of the record layer that we prove to be memory safe, correct with respect to our concrete specification (inheriting its functional correctness properties), and secure with respect to our verified model. To evaluate this component, we develop a provably-safe implementation of the rest of the QUIC protocol. Our record layer achieves nearly 2 GB/s throughput, and our QUIC implementation’s performance is within 21% of an unverified baseline.