Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance

Hoang, Viet Tung; Reyhanitabar, Reza; Rogaway, Phillip; Vizár, Damian

doi:10.1007/978-3-662-47989-6_24

Cited by 32 publications

(27 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our approach to analyzing nonce misuse differs from the line of research on online nonce misuse resistance [4,27,36], which seeks to analyze schemes which are not able to provide the best possible robustness to nonce misuse [66], but are able to guarantee more than nonce misuse resilience. Böck, Zauner, Devlin, Somorovsky, and Jovanovic [18] investigate the practical applicability of noncemisusing attacks in TLS by searching for servers which repeat nonces with GCM.…”

Section: Related Workmentioning

confidence: 99%

Boosting Authenticated Encryption Robustness with Minimal Modifications

Ashur

Dunkelman

Luykx

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

Abstract. Secure and highly efficient authenticated encryption (AE) algorithms which achieve data confidentiality and authenticity in the symmetric-key setting have existed for well over a decade. By all conventional measures, AES-OCB seems to be the AE algorithm of choice on any platform with AES-NI: it has a proof showing it is secure assuming AES is, and it is one of the fastest out of all such algorithms. However, algorithms such as AES-GCM and ChaCha20+Poly1305 have seen more widespread adoption, even though they will likely never outperform AES-OCB on platforms with AES-NI. Given the fact that changing algorithms is a long and costly process, some have set out to maximize the security that can be achieved with the already deployed algorithms, without sacrificing efficiency: ChaCha20+Poly1305 already improves over GCM in how it authenticates, GCM-SIV uses GCM's underlying components to provide nonce misuse resistance, and TLS1.3 introduces a randomized nonce in order to improve GCM's multi-user security. We continue this line of work by looking more closely at GCM and ChaCha20+Poly1305 to see what robustness they already provide over algorithms such as OCB, and whether minor variants of the algorithms can be used for applications where defense in depth is critical. We formalize and illustrate how GCM and ChaCha20+Poly1305 offer varying degrees of resilience to nonce misuse, as they can recover quickly from repeated nonces, as opposed to OCB, which loses all security. More surprisingly, by introducing minor tweaks such as an additional XOR, we can create a GCM variant which provides security even when unverified plaintext is released.

show abstract

Section: Related Workmentioning

confidence: 99%

Boosting Authenticated Encryption Robustness with Minimal Modifications

Ashur

Dunkelman

Luykx

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

show abstract

“…In [18], Hoang et al introduced a new notion called OAE2, which supports both online encryption and online decryption. It processes plaintext and ciphertext by partitioning them into a sequence of segments.…”

Section: Related Workmentioning

confidence: 99%

Deterministic Authenticated Encryption Scheme for Memory Constrained Devices

2018

View full text Add to dashboard Cite

A technique of authenticated encryption for memory constrained devices called sp-AELM was proposed by Agrawal et al. at ACISP 2015. The sp-ALEM construction utilizes a sponge-based primitive to support online encryption and decryption functionalities. Online encryption in the construction is achieved in the standard manner by processing plaintext blocks as they arrive to produce ciphertext blocks. However, decryption is achieved by storing only one intermediate state and releasing it to the user upon correct verification. This intermediate state allows a legitimate user to generate the plaintext herself. However, the scheme is nonce-respecting, i.e., the scheme is insecure if the nonce is repeated. Implementation of a nonce is non-trivial in practice, and reuse of a nonce in an AE scheme is often devastating. In this paper, we propose a new AE scheme called dAELM, which stands for deterministic authenticated encryption (DAE) scheme for low memory devices. DAE is used in domains such as the key wrap, where the available message entropy omits the overhead of a nonce. For limiting memory usage, our idea is to use a session key to encrypt a message and share the session key with the user depending upon the verification of a tag. We provide the security proof of the proposed construction in the ideal cipher model.

show abstract

“…Moreover, TABLE 1 Comparison study of existing schemes and proposed scheme 14,15,[36][37][38][39][40]45 Scheme Name Parallel Serial OH VME PF Priv. As far our understanding, we use blockcipher-based compression function as a primitive in the component function of the proposed scheme's encryption for the first time.…”

Section: Contributionmentioning

confidence: 99%

“…[42][43][44] 37 Moreover, the OAE(1,2) and PoE use blockcipher also. 36,45 In addition, a full pseudorandom function based scheme that uses tweakable blockcipher in the component function, and the APE uses ideal permutations. 15,39,40 Furthermore, the schemes of COBRA, COPA, and OTR use feistel blockcipher network.…”

Section: Motivationmentioning

confidence: 99%

See 1 more Smart Citation

A simple authentication encryption scheme

Mazumder

Miyaji

2017

Concurrency and Computation

View full text Add to dashboard Cite

An authentication encryption (AE) scheme satisfies to transfer an authenticated data between 2 parties or more. There are vast applications of the AE such as access control, encryption, enhancing trust between multiple parties, and assure the originality of a message. However, the main challenge of the AE is to maintain low-cost features for its construction. Furthermore, there is another emerging issue of Internet of Things (IoT) in the field of data and network communication.The numbers of application of the IoT are increasing expeditiously, where various kinds of device have been used such as IoT-end device, constrained device, and RfID. Moreover, the main challenge of the IoT-end devices and resource constrained devices is to keep a certain level of security bound including minimum cost. However, the IoT-end devices, resource constrained devices, and RfID have lack of resources such as memory, power, and processors. Interestingly, the AE can play a vital role between data acquisition (sensors, actuators) and data aggregation of usual platform of the IoT. Thus, the construction of the AE should satisfy the properties of low-cost, least resources, and less operating-time. Though, there are many familiar constructions of AE such as OTR, McOE, POE, OAE, APE, COPE, CLOC, and SILK but most of the schemes depend on the features of nonce and associate data. In the aspect of security, the usage of nonce and associated data are adequate.However, these 2 features increase the overhead cost. Therefore, we propose a simple construction of IV-based AE where blockcipher compression function is used as encryption function. Our proposed scheme's efficiency-rate is 1 with reasonable privacy-security bound. In addition, it can encrypt arbitrary length of message in each iteration without padding.

show abstract

Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance

Cited by 32 publications

References 33 publications

Boosting Authenticated Encryption Robustness with Minimal Modifications

Boosting Authenticated Encryption Robustness with Minimal Modifications

Deterministic Authenticated Encryption Scheme for Memory Constrained Devices

A simple authentication encryption scheme

Contact Info

Product

Resources

About