Authenticated encryption

About: Authenticated encryption is a research topic. Over the lifetime, 1328 publications have been published within this topic receiving 25968 citations. The topic is also known as: AEAD & Authenticated Encryption with Associated Data.

Misuse-Resistant Variants of the OMD Authenticated Encryption Mode

Abstract: We present two variants of OMD which are robust against nonce misuse. Security of OMD—a CAESAR candidate—relies on the assumption that implementations always ensure correct use of nonce (a.k.a. message number); namely that, the nonce never gets repeated. However, in some application environments, this non-repetitiveness requirement on nonce might be compromised or ignored, yielding to full collapse of the security guaranty. We aim to reach maximal possible level of robustness against repeated nonces, as defined by Rogaway and Shrimpton (EUROCRYPT 2006) under the name misuse-resistant AE (MRAE). Our first scheme, called misuse-resistant OMD (MR-OMD), is designed to be substantially similar to OMD while achieving stronger security goals; hence, being able to reuse any existing common code/hardware. Our second scheme, called parallelizable misuse-resistant OMD (PMR-OMD), further deviates from the original OMD design in its encryption process, providing a parallelizable algorithm, in contrast with OMD and MR-OMD which have serial encryption/decryption processes. Both MR-OMD and PMR-OMD are single-key mode of operation. It is known that maximally robust MRAE schemes are necessarily two-pass, a price paid compared to a one-pass scheme such as OMD. Nevertheless, in MR-OMD and PMR-OMD, we combine the two passes in a way that minimizes the incurred additional cost: the overhead incurred by the second pass in our two-pass variants is about 50 % of the encryption time for OMD.

Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector

Abstract: We describe a systematic framework for using a stream cipher supporting an initialisation vector (IV) to perform various tasks of authentication and authenticated encryption. These include message authentication code (MAC), authenticated encryption (AE), authenticated encryption with associated data (AEAD) and deterministic authenticated encryption (DAE) with associated data. Several schemes are presented and rigourously analysed. A major component of the constructions is a keyed hash function having provably low collision and differential probabilities. Methods are described to efficiently extend such hash functions to take multiple inputs. In particular, double-input hash functions are required for the construction of AEAD schemes. An important practical aspect of our work is that a designer can combine off-the-shelf stream ciphers with off-the-shelf hash functions to obtain secure primitives for MAC, AE, AEAD and DAE(AD).

Implementing GCM on ARMv8

Abstract: The Galois/Counter Mode is an authenticated encryption scheme which is included in protocols such as TLS and IPSec Its implementation requires multiplication over a binary finite field, an operation which is costly to implement in software Recent processors have included instructions aimed to speed up binary polynomial multiplication, an operation which can be used to implement binary field multiplication Some processors of the ARM architecture, which was reported in 2014 to be present in 95 % of smartphones, include such instructions In particular, recent devices such as the iPhone 5 s and Galaxy Note 4 have ARMv8 processors, which provide instructions able to multiply two 64-bit binary polynomials and to encrypt using the AES cipher In this work we present an optimized and timing-resistant implementation of GCM over AES-128 using these instructions We have obtained timings of 171 cycles per byte for GCM authenticated encryption (9 times faster than the timing on ARMv7), 051 cycles per byte for GCM authentication only (11 times faster) and 121 cycles per byte for AES-128 encryption (8 times faster)

An authentication scheme with identity-based cryptography for M2M security in cyber-physical systems

Abstract: The Internet has made the world smaller while there is still a gap between the cyber world and our physical world. In the future cyber-physical system (CPS), all objects in cyber world and physical world would be connected, and the concepts of cyber world and physical world will no longer exist. The speed of information transmitting and processing will be faster, the abilities of controlling facilities and handling events will be more powerful, and our lives will be better. In the CPS, machine to machine (M2M) communication is in charge of data collecting and transmitting, which utilizes both wireless and wired systems to monitor physical or environmental conditions and exchange the information among different systems without direct human intervention. As a part of CPS, M2M communication is considerably important while being fragile at the same time because M2M communication still faces lots of security threats that are not only from outside but also from inside. In traditional M2M communication, the M2M service provider (MSP) is always assumed to be trusted. However, the MSP could be compromised in real world. In that case, the previous security solutions would fail because the most confidential materials are kept in the MSP by the conventional solutions. How to protect the entire system from the compromised MSP is one important problem the paper intends to solve. In addition, the communication bandwidth and energy resource for the M2M devices are precious. Another issue the paper is addressing is the design of efficient security schemes being able to save both energy and communication bandwidth. In this paper, an authentication scheme applying authenticated identity-based cryptography without key-escrow mechanism has been proposed. In the proposed scheme, only partial secrets instead of full secrets are stored in the MSP, which could prevent the compromised MSP from endangering the whole system. The authenticated encryption property of the proposed scheme could leave out the work of signature generation, transmission, and verification so as to save the computation and communication resource of the whole system. The security analysis with Burrows–Abadi–Needham logic (BAN Logic) and Simple Promela Interpreter (SPIN) shows that the proposed scheme is well designed and could withstand Man-in-the-Middle attacks, impersonation attacks, replay attacks, DoS attacks, and compromised attacks. Copyright © 2016 John Wiley & Sons, Ltd.

Error oracle attacks on CBC mode: is there a future for CBC mode encryption?

Abstract: This paper is primarily concerned with the CBC block cipher mode. The impact on the usability of this mode of recently proposed padding oracle attacks, together with other related attacks described in this paper, is considered. For applications where unauthenticated encryption is required, the use of CBC mode is compared with its major symmetric rival, namely the stream cipher. It is argued that, where possible, authenticated encryption should be used, and, where this is not possible, a stream cipher would appear to be a superior choice. This raises a major question mark over the future use of CBC mode, except as part of a more complex mode designed to provide authenticated encryption.