Beruflich Dokumente
Kultur Dokumente
Maria Eichlseder
Applied Cryptography – WT 2017/18
www.iaik.tugraz.at
Confidentiality
as provided by block cipher modes
Authenticity, integrity
as provided by message authentication codes
1 / 43
www.iaik.tugraz.at
Outline
Authenticated Encryption
Requirements
Generic compositions
Pitfalls
Dedicated modes
CAESAR
The competition
The candidates
2 / 43
www.iaik.tugraz.at
Notation cheatsheet
⊕: xor of bitstrings
k: concatenation of bitstrings
×: multiplication in a binary finite field
3 / 43
www.iaik.tugraz.at
EK EK EK
C1 C2 C`
EK∗
Counter (CTR)
Nk1 Nk2 Nk`
EK EK ··· EK
C ∈ F∗2
ciphertext M1 M2 M`
C1 C2 C`
4 / 43
www.iaik.tugraz.at
original forgery
↓ ↓
streaming modes (OFB, CTR):
arbitrary modifications, not detectable
M ...000100... M0 ...011100...
C ...110011... C0 ...101011...
any mode:
random modification of low-redundancy data
M ...000100... M0 ...??????...
C ...110011... C0 ...101011...
5 / 43
www.iaik.tugraz.at
6 / 43
www.iaik.tugraz.at
CBC-MAC
M1 M2 M`
message
M ∈ F∗2 0 ···
EK EK EK
T
MACK
HMAC
(K ⊕ 0x3636..)kM1 · · · M`
(K ⊕ 0x5c5c..)k h
T ∈ Fb2
tag
h T
7 / 43
www.iaik.tugraz.at
ciphertext C ∈ F∗2
tag T ∈ Fb2
8 / 43
www.iaik.tugraz.at
Authenticated Encryption E
Verified Decryption D
9 / 43
www.iaik.tugraz.at
Generic compositions
E∗ ? C
?
M
?
MAC T
?
10 / 43
www.iaik.tugraz.at
Generic compositions
Encrypt-and-MAC (E&M)
E∗ C
∗ M
C = E (M), T = MAC(M)
MAC T
Encrypt-then-MAC (EtM)
M E∗ C
∗
C = E (M), T = MAC(C)
MAC T
MAC-then-Encrypt (MtE)
MAC
CkT = E ∗ (MkMAC(M)) M
E∗ CkT
11 / 43
www.iaik.tugraz.at
Generic compositions
Encrypt-and-MAC (E&M)
e.g., in SSH
security depends on E ∗ and MAC details
Encrypt-then-MAC (EtM)
e.g., in IPSec; standard ISO/IEC 19772:2009
provably secure
MAC-then-Encrypt (MtE)
e.g., in SSL/TLS
security depends on E ∗ and MAC details
12 / 43
www.iaik.tugraz.at
CBC CBC-MAC
M1 M2 M` M1 M2 M`
N ··· N ···
EK EK EK EK EK EK
C1 C2 C` T
What happens?
C`+1 = EK (T ⊕ C` ) = EK (0), no authenticity!
13 / 43
www.iaik.tugraz.at
CTR CBC-MAC
Nk1 Nk2 Nk` M1 M2 M`
··· 0 ···
EK EK EK
EK EK EK
M1 M2 M`
C1 C2 C` T
14 / 43
www.iaik.tugraz.at
1 SUF
2 IND-CPA. . . more in a moment
15 / 43
www.iaik.tugraz.at
16 / 43
www.iaik.tugraz.at
Confidentiality
17 / 43
www.iaik.tugraz.at
CBC
M1 M2 M`
N ···
EK EK EK
C1 C2 C`
18 / 43
www.iaik.tugraz.at
Authenticity/integrity
19 / 43
www.iaik.tugraz.at
Confidentiality
IND-CPA and IND-CCA2
Authenticity/integrity
20 / 43
www.iaik.tugraz.at
21 / 43
www.iaik.tugraz.at
22 / 43
www.iaik.tugraz.at
23 / 43
www.iaik.tugraz.at
AES-CCM
OCB 3.0 (very fast)
SIV (nonce-misuse resistance)
ChaCha20-Poly1305 (not based on AES)
...
24 / 43
www.iaik.tugraz.at
Nk16 · ` EK EK EK ··· EK
A1 · · · As
M1 M2 M` T
EK EK EK EK
C1 C2 C` C`+1
25 / 43
www.iaik.tugraz.at
CCM – Properties
+ Needs no DK (decryption)
26 / 43
www.iaik.tugraz.at
EtM with CTR and Carter-Wegman MAC (in “Galois field” F2128 )
EK EK EK ··· EK EK
H M1 M2 M`
A1 · · · As C1 C2 C` `ks
···
×H ×H ×H ×H ×H T
27 / 43
www.iaik.tugraz.at
GCM – Properties
+ Fast
EK parallellizable
one block cipher call per block
28 / 43
www.iaik.tugraz.at
∆0←initK (N)
∆1 ∆2 ∆` ∆$
EK EK ··· EK EK
M
∆1 ∆2 ∆` EK (Ai ⊕ ∆
e i)
1≤i≤s
C1 C2 C` T
29 / 43
www.iaik.tugraz.at
OCB – Properties
Patented!
Can be used under some conditions, but. . . complicated.
30 / 43
www.iaik.tugraz.at
A1 As M1 C1 M ` C`
r r
K kN T
p p p p p
c c
0
32 / 43
www.iaik.tugraz.at
33 / 43
www.iaik.tugraz.at
Currently ongoing
34 / 43
www.iaik.tugraz.at
CAESAR – Timeline
35 / 43
www.iaik.tugraz.at
CAESAR – Submissions
ACORN ++AE AEGIS AES-CMCC
AES-COBRA AES-COPA AES-CPFB AES-JAMBU
AES-OTR AEZ Artemia Ascon
AVALANCHE Calico CBA CBEAM
CLOC Deoxys ELmD Enchilada
FASER HKC HS1-SIV ICEPOLE
iFeed[AES] Joltik Julius Ketje
Keyak KIASU LAC Marble
McMambo Minalpher MORUS NORX
OCB OMD PAEQ PAES
PANDA π-Cipher POET POLAWIS
PRIMATEs Prøst Raviyoyla Sablier
SCREAM SHELL SILC Silver
STRIBOB Tiaoxin TriviA-ck Wheesht
YAES
36 / 43
www.iaik.tugraz.at
37 / 43
www.iaik.tugraz.at
39 / 43
www.iaik.tugraz.at
41 / 43
www.iaik.tugraz.at
Summary
42 / 43
www.iaik.tugraz.at
Questions
43 / 43