Robust Authenticated-Encryption AEZ and the Problem That It Solves

Hoang, Viet Tung; Krovetz, Ted; Rogaway, Phillip

doi:10.1007/978-3-662-46800-5_2

Cited by 111 publications

(85 citation statements)

References 47 publications

(66 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This step usually costs Adv srkprp Φ,E (D), where D is some strong related-key PRP distinguisher with a certain amount of resources, usually q queries to the keyed oracle E φ(k) and τ time, and Φ is the set of related-key deriving functions φ that D is allowed to choose. This reduction is in fact also broadly used beyond the area of tweakable blockciphers, such as in authenticated encryption schemes [1,3,11,21,28,33,37,44,50,51] and message authentication codes [4,13,16,24,29,30,41,47,[57][58][59], and in fact, we are not aware of any security result of a construction based on a standard-model blockcipher that uses a structurally different approach. Inspired by this, we investigate what level of tweakable blockcipher security can be achieved if this proof technique is employed.…”

Section: Optimal Security In Standard Model?mentioning

confidence: 99%

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Mennink

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

Abstract. Two types of tweakable blockciphers based on classical blockciphers have been presented over the last years: non-tweak-rekeyable and tweak-rekeyable, depending on whether the tweak may influence the key input to the underlying blockcipher. In the former direction, the best possible security is conjectured to be 2 σn/(σ+1) , where n is the size of the blockcipher and σ is the number of blockcipher calls. In the latter direction, Mennink and Wang et al. presented optimally secure schemes, but only in the ideal cipher model. We investigate the possibility to construct a tweak-rekeyable cipher that achieves optimal security in the standard cipher model. As a first step, we note that all standard-model security results in literature implicitly rely on a generic standard-to-ideal transformation, that replaces all keyed blockcipher calls by random secret permutations, at the cost of the security of the blockcipher. Then, we prove that if this proof technique is adopted, tweak-rekeying will not help in achieving optimal security: if 2 σn/(σ+1) is the best one can get without tweak-rekeying, optimal 2 n provable security with tweak-rekeying is impossible.

show abstract

Section: Optimal Security In Standard Model?mentioning

confidence: 99%

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Mennink

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

show abstract

“…For instance, if E's security matches that of a tweakable (variable input length) cipher, the MAC-then-Encrypt constructions become a sort of encodethen-encipher. The latter is secure against release of unverified plaintext [25]. We leave open the identification of sufficient conditions on E for a generic composition result in the presence of leakage to pull through for EtM or E&M; relatedly, we leave open the extension of our work to the encode-then-encipher setting.…”

Section: Mac-and/then-encrypt Are Brittle Under Leakagementioning

confidence: 99%

“…Andreeva et al [2] (RUP) considered the release of unverified plaintexts, where the decryption oracle releases candidate plaintexts even if they fail verification. The robust authenticated encryption notion of Hoang et al [25] also implies security against the leakage of these candidate plaintexts, among other goals. Barwell et al [4] defined the SAE framework as a generalisation of these notions, and used it to compare the three previous works.…”

Section: Related Workmentioning

confidence: 99%

“…This meant ruling out every NRS construction secure in the nonce misuse model, an important feature for a modern robust AE schemes [10,25,51]. Roughly speaking, for MRAE security a scheme must be MtE (to ensure maximum diffusion) yet for leakage resilience it must be EtM (to ensure minimal leakage).…”

Section: Achieving Misuse Resistant Lae Securitymentioning

confidence: 99%

“…In response, a number of works have tried to capture more closely how protocols behave when implemented [14,21,25]. We are particularly interested in subtle authenticated encryption [4] which augments the authenticated encryption security game with an implementation-dependent leakage oracle that provides an adversary deterministic decryption leakage on invalid ciphertexts only.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Authenticated Encryption in the Face of Protocol and Side Channel Leakage

Barwell

Martin

Oswald

et al. 2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Authenticated encryption schemes in practice have to be robust against adversaries that have access to various types of leakage, for instance decryption leakage on invalid ciphertexts (protocol leakage), or leakage on the underlying primitives (side channel leakage). This work includes several novel contributions: we augment the notion of nonce-base authenticated encryption with the notion of continuous leakage and we prove composition results in the face of protocol and side channel leakage. Moreover, we show how to achieve authenticated encryption that is simultaneously both misuse resistant and leakage resilient, based on a sufficiently leakage resilient PRF, and finally we propose a concrete, pairing-based instantiation of the latter.

show abstract

Fault analysis of AEZ

Mahri

Simpson

Bartlett

et al. 2018

Concurrency and Computation

View full text Add to dashboard Cite

Summary AEZ is a block cipher mode based on AES which uses three 128‐bit keys. The algorithm has been updated several times during the three rounds of the CAESAR cryptographic competition. Cryptanalytic results presented on AEZ to date do not breach its security. This paper describes a fault injection analysis on AEZ. We focus on analysing AEZ v4.2 but also investigate the applicability of these analyses to the recent version AEZ v5. This paper shows that all three 128‐bit keys in AEZ v4.2 can be uniquely retrieved using only three random‐valued single byte fault injections. A similar approach using four fault injections can uniquely recover all three keys of AEZ v5. The feasibility of this fault injection methodology has been proven against AES in previous works.

show abstract

Robust Authenticated-Encryption AEZ and the Problem That It Solves

Cited by 111 publications

References 47 publications

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Authenticated Encryption in the Face of Protocol and Side Channel Leakage

Fault analysis of AEZ

Contact Info

Product

Resources

About