Pipelineable On-line Encryption

Abed, Farzaneh; Fluhrer, Scott R.; Forler, Christian; List, Eik; Lucks, Stefan; McGrew, David; Wenzel, Jakob

doi:10.1007/978-3-662-46706-0_11

Cited by 23 publications

(29 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This step usually costs Adv srkprp Φ,E (D), where D is some strong related-key PRP distinguisher with a certain amount of resources, usually q queries to the keyed oracle E φ(k) and τ time, and Φ is the set of related-key deriving functions φ that D is allowed to choose. This reduction is in fact also broadly used beyond the area of tweakable blockciphers, such as in authenticated encryption schemes [1,3,11,21,28,33,37,44,50,51] and message authentication codes [4,13,16,24,29,30,41,47,[57][58][59], and in fact, we are not aware of any security result of a construction based on a standard-model blockcipher that uses a structurally different approach. Inspired by this, we investigate what level of tweakable blockcipher security can be achieved if this proof technique is employed.…”

Section: Optimal Security In Standard Model?mentioning

confidence: 99%

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Mennink

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

Abstract. Two types of tweakable blockciphers based on classical blockciphers have been presented over the last years: non-tweak-rekeyable and tweak-rekeyable, depending on whether the tweak may influence the key input to the underlying blockcipher. In the former direction, the best possible security is conjectured to be 2 σn/(σ+1) , where n is the size of the blockcipher and σ is the number of blockcipher calls. In the latter direction, Mennink and Wang et al. presented optimally secure schemes, but only in the ideal cipher model. We investigate the possibility to construct a tweak-rekeyable cipher that achieves optimal security in the standard cipher model. As a first step, we note that all standard-model security results in literature implicitly rely on a generic standard-to-ideal transformation, that replaces all keyed blockcipher calls by random secret permutations, at the cost of the security of the blockcipher. Then, we prove that if this proof technique is adopted, tweak-rekeying will not help in achieving optimal security: if 2 σn/(σ+1) is the best one can get without tweak-rekeying, optimal 2 n provable security with tweak-rekeying is impossible.

show abstract

Section: Optimal Security In Standard Model?mentioning

confidence: 99%

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Mennink

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

show abstract

“…The problem was large enough that it wasn't clear to us what was intended. Follow-on work mostly replicated this [2,27]. After discussions among ourselves and checking with one of the FFL authors [41], we concluded that the intended definition is the one we have given.…”

Section: Oae1 Definitionmentioning

confidence: 76%

“…In the Ideal2 game the strings 2 and 2 are independent random strings. However, in game Real2 we always have 2 …”

Section: Achieving Oae2mentioning

confidence: 99%

“…Schemes1: COPA [8], Deoxys [34], Joltik [35], KIASU [36], Marble [30], McOE [26], SHELL [59], POET [1,2], Prøst-COPA [19] Schemes2: ++AE [47] OAE1a Leaks equality of block-aligned prefixes, formalized by comparing ℰ with: a random -bit-blocksize online function tweaked by the nonce, AD and plaintext; followed by a random -bit function of the nonce, AD, and plaintext. Schemes1: APE [5], ELmD [23], ELmE [24], Prøst-APE [19] OAE1b Leaks equality of block-aligned prefixes, formalized by comparing ℰ with: a random -bit-blocksize online function tweaked by the nonce and plaintext (but not the AD); followed by a random -bit function of the nonce, AD, and plaintext.…”

Section: Oae1mentioning

confidence: 99%

See 1 more Smart Citation

Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance

Hoang

Reyhanitabar

Rogaway

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract.A definition of online authenticated-encryption (OAE), call it OAE1, was given by Fleischmann, Forler, and Lucks (2012). It has become a popular definitional target because, despite allowing encryption to be online, security is supposed to be maintained even if nonces get reused. We argue that this expectation is effectively wrong. OAE1 security has also been claimed to capture best-possible security for any online-AE scheme. We claim that this understanding is wrong, too. So motivated, we redefine OAE-security, providing a radically different formulation, OAE2. The new notion effectively does capture best-possible security for a user's choice of plaintext segmentation and ciphertext expansion. It is achievable by simple techniques from standard tools. Yet even for OAE2, nonce-reuse can still be devastating. The picture to emerge is that no OAE definition can meaningfully tolerate nonce-reuse, but, at the same time, OAE security ought never have been understood to turn on this question.

show abstract

“…Moreover, TABLE 1 Comparison study of existing schemes and proposed scheme 14,15,[36][37][38][39][40]45 Scheme Name Parallel Serial OH VME PF Priv. As far our understanding, we use blockcipher-based compression function as a primitive in the component function of the proposed scheme's encryption for the first time.…”

Section: Contributionmentioning

confidence: 99%

A simple authentication encryption scheme

Mazumder

Miyaji

2017

Concurrency and Computation

View full text Add to dashboard Cite

An authentication encryption (AE) scheme satisfies to transfer an authenticated data between 2 parties or more. There are vast applications of the AE such as access control, encryption, enhancing trust between multiple parties, and assure the originality of a message. However, the main challenge of the AE is to maintain low-cost features for its construction. Furthermore, there is another emerging issue of Internet of Things (IoT) in the field of data and network communication.The numbers of application of the IoT are increasing expeditiously, where various kinds of device have been used such as IoT-end device, constrained device, and RfID. Moreover, the main challenge of the IoT-end devices and resource constrained devices is to keep a certain level of security bound including minimum cost. However, the IoT-end devices, resource constrained devices, and RfID have lack of resources such as memory, power, and processors. Interestingly, the AE can play a vital role between data acquisition (sensors, actuators) and data aggregation of usual platform of the IoT. Thus, the construction of the AE should satisfy the properties of low-cost, least resources, and less operating-time. Though, there are many familiar constructions of AE such as OTR, McOE, POE, OAE, APE, COPE, CLOC, and SILK but most of the schemes depend on the features of nonce and associate data. In the aspect of security, the usage of nonce and associated data are adequate.However, these 2 features increase the overhead cost. Therefore, we propose a simple construction of IV-based AE where blockcipher compression function is used as encryption function. Our proposed scheme's efficiency-rate is 1 with reasonable privacy-security bound. In addition, it can encrypt arbitrary length of message in each iteration without padding.

show abstract

Pipelineable On-line Encryption

Cited by 23 publications

References 32 publications

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance

A simple authentication encryption scheme

Contact Info

Product

Resources

About