Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh.

Published byCharlotte Tyler Modified over 8 years ago

Similar presentations

Presentation on theme: "Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh."— Presentation transcript:

1 Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh

2 Dan Boneh … but first, some history Authenticated Encryption (AE): introduced in 2000 [KY’00, BN’00] Crypto APIs before then: (e.g. MS-CAPI) Provide API for CPA-secure encryption (e.g. CBC with rand. IV) Provide API for MAC (e.g. HMAC) Every project had to combine the two itself without a well defined goal Not all combinations provide AE …

3 Dan Boneh Combining MAC and ENC (CCA) Encryption key k E. MAC key = k I Option 1: (SSL) Option 2: (IPsec) Option 3: (SSH) msg m tag E(k E, m ll tag) S(k I, m) msg m E(k E, m) tag S(k I, c) msg m E(k E, m) tag S(k I, m) always correct

4 Dan Boneh A.E. Theorems Let (E,D) be CPA secure cipher and (S,V) secure MAC. Then: 1.Encrypt-then-MAC: always provides A.E. 2.MAC-then-encrypt: may be insecure against CCA attacks however: when (E,D) is rand-CTR mode or rand-CBC M-then-E provides A.E. for rand-CTR mode, one-time MAC is sufficient

5 Dan Boneh Standards (at a high level) GCM: CTR mode encryption then CW-MAC ( accelerated via Intel’s PCLMULQDQ instruction) CCM: CBC-MAC then CTR mode encryption (802.11i) EAX: CTR mode encryption then CMAC All support AEAD: (auth. enc. with associated data). All are nonce-based. encrypted data associated data authenticated encrypted

6 Dan Boneh An example API (OpenSSL) int AES_GCM_Init(AES_GCM_CTX *ain, unsigned char * nonce, unsigned long noncelen, unsigned char * key, unsigned int klen ) int AES_GCM_EncryptUpdate(AES_GCM_CTX *a, unsigned char * aad, unsigned long aadlen, unsigned char * data, unsigned long datalen, unsigned char * out, unsigned long *outlen)

7 Dan Boneh MAC Security -- an explanation Recall: MAC security implies (m, t) (m, t’ ) Why? Suppose not: (m, t) (m, t’) Then Encrypt-then-MAC would not have Ciphertext Integrity !! ⇏ Chal. b Adv. kKkK m 0, m 1 c  E(k, m b ) = (c 0, t) c’ = (c 0, t’ ) ≠ c D(k, c’ ) = m b b (c 0, t) (c 0, t’)

8 Dan Boneh OCB: a direct construction from a PRP More efficient authenticated encryption: one E() op. per block. m[0]m[1]m[2]m[3]  E(k,  ) P(N,k,0)P(N,k,1)P(N,k,2)P(N,k,3)  P(N,k,0)P(N,k,1)P(N,k,2) P(N,k,3) c[0]c[1]c[2]c[3] checksum E(k,  )   c[4] P(N,k,0) auth

9 Dan Boneh Performance: Crypto++ 5.6.0 [ Wei Dai ] AMD Opteron, 2.2 GHz ( Linux) codeSpeed Cipher size (MB/sec) AES/GCM large ** 108AES/CTR139 AES/CCMsmaller 61AES/CBC109 AES/EAXsmaller 61 AES/CMAC109 AES/OCB129 * HMAC/SHA1147 * extrapolated from Ted Kravitz’s results ** non-Intel machines

10 Dan Boneh End of Segment

Download ppt "Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh."

Similar presentations

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.

Message Authentication Codes (MACs) and Hashes David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012.
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Cryptography: Review Day David Brumley Carnegie Mellon University.

Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Authenticated Encryption with Replay prOtection (AERO)

Authenticated Encryption with Replay prOtection (AERO)
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: 2012-10-30 Authors:

Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
CMSC 456 Introduction to Cryptography

CMSC 456 Introduction to Cryptography
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

Similar presentations

Ads by Google