The Software Performance of Authenticated-Encryption Modes

Krovetz, Ted; Rogaway, Phillip

doi:10.1007/978-3-642-21702-9_18

Cited by 192 publications

(196 citation statements)

References 34 publications

Supporting

Mentioning

188

Contrasting

Unclassified

Order By: Relevance

“…This step usually costs Adv srkprp Φ,E (D), where D is some strong related-key PRP distinguisher with a certain amount of resources, usually q queries to the keyed oracle E φ(k) and τ time, and Φ is the set of related-key deriving functions φ that D is allowed to choose. This reduction is in fact also broadly used beyond the area of tweakable blockciphers, such as in authenticated encryption schemes [1,3,11,21,28,33,37,44,50,51] and message authentication codes [4,13,16,24,29,30,41,47,[57][58][59], and in fact, we are not aware of any security result of a construction based on a standard-model blockcipher that uses a structurally different approach. Inspired by this, we investigate what level of tweakable blockcipher security can be achieved if this proof technique is employed.…”

Section: Optimal Security In Standard Model?mentioning

confidence: 99%

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Mennink

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

Abstract. Two types of tweakable blockciphers based on classical blockciphers have been presented over the last years: non-tweak-rekeyable and tweak-rekeyable, depending on whether the tweak may influence the key input to the underlying blockcipher. In the former direction, the best possible security is conjectured to be 2 σn/(σ+1) , where n is the size of the blockcipher and σ is the number of blockcipher calls. In the latter direction, Mennink and Wang et al. presented optimally secure schemes, but only in the ideal cipher model. We investigate the possibility to construct a tweak-rekeyable cipher that achieves optimal security in the standard cipher model. As a first step, we note that all standard-model security results in literature implicitly rely on a generic standard-to-ideal transformation, that replaces all keyed blockcipher calls by random secret permutations, at the cost of the security of the blockcipher. Then, we prove that if this proof technique is adopted, tweak-rekeying will not help in achieving optimal security: if 2 σn/(σ+1) is the best one can get without tweak-rekeying, optimal 2 n provable security with tweak-rekeying is impossible.

show abstract

Section: Optimal Security In Standard Model?mentioning

confidence: 99%

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Mennink

2017

Advances in Cryptology – CRYPTO 2017

View full text Add to dashboard Cite

show abstract

“…This and further efficiency optimization reasons have led to the development of many dedicated nonce-based AE solutions such as CCM [33], CWC [20], EAX [7], GCM [23], IACBC [18], IAPM [18], OCB1-3 [21,27,29], and OTR [24].…”

Section: Introductionmentioning

confidence: 99%

“…For example, instead of performing finite-field multiplications sequentially by Horner's rule as On more recent Intel CPUs such as Nehalem and Sandy Bridge, finitefield multiplication runs slower than AES [21]. Note that these processors are equipped with dedicated instruction sets, PCLMULQDQ for finite-field multiplication and AES-NI for AES block cipher computation.…”

Section: Introductionmentioning

confidence: 99%

COBRA: A Parallelizable Authenticated Online Cipher Without Block Cipher Inverse

Andreeva

Luykx

Mennink

et al. 2015

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. We present a new, misuse-resistant scheme for online authenticated encryption, following the framework set forth by Fleischmann et al. (FSE 2012). Our scheme, COBRA, is roughly as efficient as the GCM mode of operation for nonce-based authenticated encryption, performing one block cipher call plus one finite field multiplication per message block in a parallelizable way. The major difference from GCM is that COBRA preserves privacy up to prefix under nonce repetition. However, COBRA only provides authenticity against nonce-respecting adversaries. As compared to COPA (ASIACRYPT 2013), our new scheme requires no block cipher inverse and hence enjoys provable security under a weaker assumption about the underlying block cipher. In addition, COBRA can possibly perform better than COPA on platforms where finite field multiplication can be implemented faster than the block cipher in use, since COBRA essentially replaces half of the block cipher calls in COPA with finite field multiplications.

show abstract

“…Authenticated Encryption (AE) schemes (such as EAX [7], GCM [31], OCB [28], etc.) perform an authentication check on the entire ciphertext before they output a decrypted message.…”

Section: Introductionmentioning

confidence: 99%

Pipelineable On-line Encryption

Abed

Fluhrer

Forler

et al. 2015

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been performed. In high-speed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCA-secure on-line ciphers as a practical alternative to AE schemes since the former provide some defense against malicious message modifications. Unfortunately, all published on-line ciphers so far are either inherently sequential, or lack a CCA-security proof. This paper introduces POE, a family of on-line ciphers that combines provable security against chosen-ciphertext attacks with pipelineability to support efficient implementations. POE combines a block cipher and an ǫ-AXU family of hash functions. Different instantiations of POE are given, based on different universal hash functions and suitable for different platforms. Moreover, this paper introduces POET, a provably secure on-line AE scheme, which inherits pipelineability and chosen-ciphertextsecurity from POE and provides additional resistance against noncemisuse attacks.

show abstract

The Software Performance of Authenticated-Encryption Modes

Cited by 192 publications

References 34 publications

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

Insuperability of the Standard Versus Ideal Model Gap for Tweakable Blockcipher Security

COBRA: A Parallelizable Authenticated Online Cipher Without Block Cipher Inverse

Pipelineable On-line Encryption

Contact Info

Product

Resources

About