Authenticated Encryption with Variable Stretch

Reyhanitabar, Reza; Vaudenay, Serge; Vizár, Damian

doi:10.1007/978-3-662-53887-6_15

Cited by 14 publications

(30 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, other robust security properties, such as security with variable-length tags [63], under distinguishable decryption failures [19], or under release of unverified plaintext [3] are equally desirable. The CAESAR competition's use case describing defense in depth lists authenticity and limited confidentiality damage from release of unverified plaintexts (RUP) as desirable properties [15].…”

Section: Release Of Unverified Plaintextmentioning

confidence: 99%

Boosting Authenticated Encryption Robustness with Minimal Modifications

Ashur

Dunkelman

Luykx

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

Abstract. Secure and highly efficient authenticated encryption (AE) algorithms which achieve data confidentiality and authenticity in the symmetric-key setting have existed for well over a decade. By all conventional measures, AES-OCB seems to be the AE algorithm of choice on any platform with AES-NI: it has a proof showing it is secure assuming AES is, and it is one of the fastest out of all such algorithms. However, algorithms such as AES-GCM and ChaCha20+Poly1305 have seen more widespread adoption, even though they will likely never outperform AES-OCB on platforms with AES-NI. Given the fact that changing algorithms is a long and costly process, some have set out to maximize the security that can be achieved with the already deployed algorithms, without sacrificing efficiency: ChaCha20+Poly1305 already improves over GCM in how it authenticates, GCM-SIV uses GCM's underlying components to provide nonce misuse resistance, and TLS1.3 introduces a randomized nonce in order to improve GCM's multi-user security. We continue this line of work by looking more closely at GCM and ChaCha20+Poly1305 to see what robustness they already provide over algorithms such as OCB, and whether minor variants of the algorithms can be used for applications where defense in depth is critical. We formalize and illustrate how GCM and ChaCha20+Poly1305 offer varying degrees of resilience to nonce misuse, as they can recover quickly from repeated nonces, as opposed to OCB, which loses all security. More surprisingly, by introducing minor tweaks such as an additional XOR, we can create a GCM variant which provides security even when unverified plaintext is released.

show abstract

Section: Release Of Unverified Plaintextmentioning

confidence: 99%

Boosting Authenticated Encryption Robustness with Minimal Modifications

Ashur

Dunkelman

Luykx

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

show abstract

“…To clarify what is meant by "flexible" security-overhead trade-off, consider for example a nonce-based AEAD algorithm that is secure to use with variable stretch [RVV16]; that is, under the same key, several tag lengths (a.k.a. ciphertext expansion or stretch) can be securely used for authenticated encryption of different messages.…”

Section: Variable Stretchmentioning

confidence: 99%

“…The support of variable tag length in AEAD schemes has been investigated by Reyhanitabar, Vaudenay and Vizár [RVV16] from both a misuse-resistance viewpoint and optimizing computation and communication overheads in resource-constrained devices. The work formalizes the security of nonce-based AEAD schemes with variable stretch in the security notion nvae (for nonce-based variable-stretch AE), establishes relations with existing notions, and proposes how to achieve and prove nvae security with the help of the so-called kess property (for key-equivalent separation by stretch).…”

Section: Related Workmentioning

confidence: 99%

“…Towards this goal, we first propose a variable-stretch variant of the CCM standard, naming it vCCM, and prove that it is a secure nonce-based variable-stretch AEAD scheme, i.e., nvAE-secure as formalized by Reyhanitabar et al [RVV16]. We then experimentally measure the energy consumption of a real-world low-power wireless sensor platform in a simple model scenario when using vCCM and CCM, respectively.…”

Section: Contributionmentioning

confidence: 99%

See 1 more Smart Citation

Power Yoga: Variable-Stretch Security of CCM for Energy-Efficient Lightweight IoT

Gjiriti

Reyhanitabar

Vizár

2021

ToSC

Self Cite

View full text Add to dashboard Cite

The currently ongoing NIST LWC project aims at identifying new standardization targets for lightweight authenticated encryption with associated data (AEAD) and (optionally) lightweight cryptographic hashing. NIST has deemed it important for performance and cost to be optimized on relevant platforms, especially for short messages. Reyhanitabar, Vaudenay and Vizár (Asiacrypt 2016) gave a formal treatment for security of nonce-based AEAD with variable stretch, i.e., when the length of the authentication tag is changed between encryptions without changing the key. They argued that AEAD supporting variable stretch is of practical interest for constrained applications, especially low-power devices operated by battery, due to the ability to flexibly trade communication overhead and level of integrity.In this work, we investigate this hypothesis with affirmative results. We present vCCM, a variable-stretch variant of the standard CCM and prove it is secure when used with variable stretch. We then experimentally measure the energy consumption of a real-world wireless sensor node when encrypting and sending messages with vCCM and CCM, respectively. Our projections show that the flexible trade of integrity level and ciphertext expansion can lead up to 21% overall energy consumption reduction in certain scenarios. As vCCM is obtained from the widely-used CCM by a black-box transformation, allowing any existing CCM implementations to be reused as-is, our results can be immediately put to use in practice. vCCM is all the more relevant because neither the NIST LWC project, nor any of the candidates give a consideration for the support of variable stretch and the related integrity-overhead trade-off.

show abstract

“…This new type of misuse has been identified by the community only recently. Some of the second-round candidates have already included heuristic measures against it and the first formal treatment for nonce-based AE schemes was proposed by R e y h a n i t a b a r et al [62].…”

Section: Security Goals Of Aementioning

confidence: 99%

The State of the Authenticated Encryption

Vizár

2016

Tatra Mountains Mathematical Publications

Self Cite

View full text Add to dashboard Cite

Ensuring confidentiality and integrity of communication remains among the most important goals of cryptography. The notion of authenticated encryption marries these two security goals in a single symmetric-key, cryptographic primitive. A lot of effort has been invested in authenticated encryption during the fifteen years of its existence. The recent Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) has boosted the research activity in this area even more. As a result, the area of authenticated encryption boasts numerous results, both theoretically and practically oriented, and perhaps even greater number of constructions of authenticated encryption schemes. We explore the current landscape of results on authenticated encryption. We review the CEASAR competition and its candidates, the most popular construction principles, and various design goals for authenticated encryption, many of which appeared during the CAESAR competition. We also take a closer look at the candidate Offset Merkle-Damgård (OMD).

show abstract

Authenticated Encryption with Variable Stretch

Cited by 14 publications

References 21 publications

Boosting Authenticated Encryption Robustness with Minimal Modifications

Boosting Authenticated Encryption Robustness with Minimal Modifications

Power Yoga: Variable-Stretch Security of CCM for Energy-Efficient Lightweight IoT

The State of the Authenticated Encryption

Contact Info

Product

Resources

About