AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
The threat due to such collisions is often thought to be theoretical in nature, it was recently shown that real attacks can be carried out when 3DES is used in TLS, because of the small block size

Better Bounds for Block Cipher Modes of Operation via Nonce-Based Key Derivation.

IACR Cryptology ePrint Archive, (2017): 1019-1036

Cited by: 29|Views204
EI

Abstract

Block cipher modes of operation provide a way to securely encrypt using a block cipher. The main factors in analyzing modes of operation are the \emph{level of security} achieved (chosen-plaintext security, authenticated encryption, nonce-misuse resistance, and so on) and \textit{performance}. When measuring the security level of a mode o...More

Code:

Data:

Introduction
  • Block ciphers are a basic building block in encryption. Modes of operation are ways of using block ciphers in order to obtain secure encryption, and have been studied for decades.
  • Speci cally, when a block cipher with block size n is used to encrypt 2n/2 blocks, birthday collisions occur with high probability, potentially resulting in a security breach.
  • The threat due to such collisions is often thought to be theoretical in nature, it was recently shown that real attacks can be carried out when 3DES is used in TLS, because of the small block size [5].
Highlights
  • Block ciphers are a basic building block in encryption
  • Speci cally, when a block cipher with block size n is used to encrypt 2n/2 blocks, birthday collisions occur with high probability, potentially resulting in a security breach
  • The threat due to such collisions is often thought to be theoretical in nature, it was recently shown that real attacks can be carried out when 3DES is used in TLS, because of the small block size [5]
  • In Section 4, we show how to implement an e cient Key-Derivation Functions with very good bounds
  • We describe a new Key Derivation Function (KDF) here, which we call DeriveKey
Results
  • The idea is very simple: rst derive a per-message key by applying a key-derivation function with the master-key and nonce, and use the per-message key to encrypt the message
  • This ensures that no single key is used too much, and so many more blocks can be encrypted.
  • It requires only minimal changes to existing schemes, which is important for deployment
  • Implementing this idea has two major challenges: (1) On the one hand, key derivation based on a hash function would yield good bounds but is very slow.
  • Standard methods of key expansion, e.g., using the AES-NI aeskeygenassist instruction, are very slow
Tables
  • Table1: Optimized code performance in cycles of AES key expansion and key expansion interleaved with the encryption of a few blocks, run on Intel microarchitecture codename Skylake
  • Table2: Example parameters and security bounds for dominant terms
  • Table3: Performance (throughput in cycles per byte on a Skylake processor) of CTR, AES-GCM, and AES-GCM-SIV (128-bit key) with and without DeriveKey, for short, medium and long messages. The table shows (rightmost column) the relative overhead due to the derivation. See explanation and discussion in the text
Download tables as Excel
Related work
  • Bellare and Abdalla [3] suggested a re-keying mechanism to increase the lifetime of a key. They provide security analyses for di erent re-keying mechanisms, and show that re-keying indeed improves the security margins and therefore extends the lifetime of the master key. Our method is di erent in the mechanism, and also in the key derivation itself. Speci cally, [3] consider a scenario where keys are changed periodically using an external counter. This requires storing state, and coordination between di erent machines using the same key. In contrast, we use the nonce to derive a key, develop a general result on the security bene ts of this, and apply it to a number of di erent schemes. Our results are very di erent. For one, we obtain that when using schemes that must be nonce respecting, our method enables encrypting longer messages but not more messages (overall more blocks). In contrast, when using nonce misuse-respecting schemes, our method enables encrypting many more messages with a random IV. Thus, our method enables parties to encrypt using a random IV rather than with a unique nonce (which is preferable since state is not needed), and obtain excellent bounds even when the source of entropy is not perfect.
Funding
  • We thank Adam Langley for many helpful discussions regarding AES-GCM-SIV and the key derivation technique, and we thank Tetsu Iwata and Yannick Seurin for pointing out some typos and small errors in an earlier manuscript. This research was supported by the Israel Science Foundation grant no. 1018/16, the PQCRYPTO project which was partially funded by the European Commission Horizon 2020 Research Programme grant no. 645622, and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s O ce
Reference
  • BoringSSL, https://boringssl.googlesource.com/boringssl/
    Findings
  • RFC5077: Transport Layer Security (TLS) Session Resumption without Server-Side State, https://tools.ietf.org/html/rfc5077#section-4
    Findings
  • A. Abdalla and M. Bellare. Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques. In ASIACRYPT 2000, Springer (LNCS 1976), pages 546–559, 2000.
    Google ScholarLocate open access versionFindings
  • E. Barker and J. Kelsey. Recommendation for Random Number Generation Using Deterministic Random Bit Generators, NIST Special Publication 800-90A. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
    Findings
  • K. Bhargavan and G. Leurent. On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN. In ACM CCS, pages 456–467, 2016.
    Google ScholarLocate open access versionFindings
  • E. Biham. How to decrypt or even substitute DES-encrypted messages in 228 steps. Information Processing Letters, 84(3):117–124, 2002.
    Google ScholarLocate open access versionFindings
  • H. Bock, A. Zauner, S. Devlin, J. Somorovsky and P. Jovanovic. NonceDisrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. In the 10th USENIX Workshop on O ensive Technologies (WOOT 16), 2016.
    Google ScholarLocate open access versionFindings
  • W. Dai, V.T. Hoang and S. Tessaro. Information-Theoretic Indistinguishability via the Chi-Squared Method. In CRYPTO 2017, Springer (LNCS 10403), pages 497–523, 2017.
    Google ScholarFindings
  • M. Dworkin. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Con dentiality and Authentication. Federal Information Processing Standard Publication FIPS 800-38D, 2006. http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
    Locate open access versionFindings
  • S. Gilboa and S. Gueron. How many queries are needed to distinguish a truncated random permutation from a random function?, Journal of Cryptology (2017). doi:10.1007/s00145-017-9253-0
    Locate open access versionFindings
  • S. Gilboa and S. Gueron. The Advantage of Truncated Permutations. Manuscript, 2016. https://arxiv.org/abs/1610.02518.
    Findings
  • S. Gueron, Y. Lindell. GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. 22nd ACM CCS, pages 109–119, 2015.
    Google ScholarLocate open access versionFindings
  • S. Gueron, A. Langley, Y. Lindell. AES-GCM-SIV: Speci cation and Analysis, Cryptology ePrint Archive, Report 2 017/168, 2017. http://eprint.iacr.org/2017/168.
    Findings
  • S. Gueron, A. Langley, Y. Lindell. https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv
    Findings
  • S. Gueron, Y. Lindell, A. Nof and B. Pinkas. Fast Garbling of Circuits Under Standard Assumptions. 22nd ACM CCS, pages 567–578, 2015.
    Google ScholarLocate open access versionFindings
  • D.A. McGrew and J. Viega The Galois/Counter Mode of Operation (GCM). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
    Findings
  • D.A. McGrew and J. Viega The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In INDOCRYPT 2004, Springer (LNCS 3348), pages 343–355, 2004.
    Google ScholarFindings
  • N. Mouha, A. Luykx. Multi-key Security: The Even-Mansour Construction Revisited. Advances in Cryptology – CRYPTO 2015, Proceedings Part I, pp. 209–223 (2015).
    Google ScholarLocate open access versionFindings
  • QUIC, a multiplexed stream transport over UDP. https://www.chromium.org/quic.
    Findings
  • P. Rogaway and T. Shrimpton. Deterministic Authenticated Encryption: A Provable-Security Treatment of the Key-Wrap Problem. In EUROCRYPT 2006, Springer (LNCS 4004), pages 373–390, 2006.
    Google ScholarFindings
  • A. J. Stam, Distance between sampling with and without replacement, Statist. Neerlandica 32 (1978), no. 2, 81–91.
    Google ScholarLocate open access versionFindings
  • K. Suzuki, D. Tonien, K. Kurosawa and K. Toyota. Birthday Paradox for Multicollisions. Proceedings of the 9th International Conference on Information Security and Cryptology, Springer (LNCS 4296), pages 29–40, 2006.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科