1 The XCBC-XOR, XECB-XOR and XECB-MAC Modes Virgil D. GligorPompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland 20815 {gligor,

Slides:



Advertisements
Similar presentations
ECE454/CS594 Computer and Network Security
Advertisements

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.
1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Encryption Schemes Second Pass Brice Toth 21 November 2001.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Block Cipher Transmission Modes CSCI 5857: Encoding and Encryption.
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
1 TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Hai Yan Computer Science & Engineering University of Connecticut.
Towards Automated Security Proof for Symmetric Encryption Modes Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech.
Lecture 4: Using Block Ciphers
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
More About DES Cryptography and Network Security Reference: Sec 3.1 of Stallings Text.
1.1 Chapter 8 Encipherment Using Modern Symmetric-Key Ciphers Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
Modes of Operation INSTRUCTOR: DANIA ALOMAR. Modes of Operation A block cipher can be used in various methods for data encryption and decryption; these.
CRYPTANALYSIS OF STREAM CIPHER Bimal K Roy Cryptology Research Group Indian Statistical Institute Kolkata.
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Roh, Yohan October.
TinySec : Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Anil Karamchandani 10/01/2007.
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Chapter 2 Symmetric Encryption.
Various Attacks on Cryptosystems slides (c) 2012 by Richard Newman.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography and Network Security
Cipher Transmission and Storage Modes Part 2: Stream Cipher Modes CSCI 5857: Encoding and Encryption.
Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group
MiniSec: A Secure Sensor Network Communication Architecture Carnegie Mellon UniversityUniversity of Maryland at College Park Mark Luk, Ghita Mezzour, Adrian.
Part 1  Cryptography 1 Integrity Part 1  Cryptography 2 Data Integrity  Integrity  detect unauthorized writing (i.e., modification of data)  Example:
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Block Cipher Modes Last Updated: Aug 25, ECB Mode Electronic Code Book Divide the plaintext into fixed-size blocks Encrypt/Decrypt each block independently.
CS480 Cryptography and Information Security
Message Authentication Code
Block Cipher Modes CS 465 Make a chart for the mode comparisons
Cryptography Lecture 12.
Cryptography Lecture 10.
Block cipher and modes of encryptions
Cryptography Lecture 11.
Security Of Wireless Sensor Networks
Block vs Stream Ciphers
Block Ciphers (Crypto 2)
Security of Wireless Sensor Networks
Cryptography Lecture 11.
Cryptography Lecture 9.
Cryptography Lecture 12.
Topic 13: Message Authentication Code
Cryptography Lecture 9.
Cryptography Lecture 11.
Cryptography Lecture 10.
July 15, 2019 doc.: IEEE r0 May, 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES.
Counter With Cipher Block Chaining-MAC
Counter Mode, Output Feedback Mode
Elect. Codebook, Cipher Block Chaining
Presentation transcript:

1 The XCBC-XOR, XECB-XOR and XECB-MAC Modes Virgil D. GligorPompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland {gligor, August 24, 2001

2 Outline 1. Security Claims 2. Operational Claims 3. Examples: XCBC-XOR, XECB-XOR, XECB-MAC modes 4. Conclusions

3 1. Security Claims for Authenticated Encryption 1. Security Claim = a security notion supported by a mode or scheme of encryption 2. Secrecy Notion = 3. Integrity (Authenticity) Notion = < Existential Forgery protection, (adaptive) Chosen Plaintext Attacks>

4 2. Operational Claims for Modes of Encryption Operational Notion = Operational Goals: cost-performance, simplicity, usability cost-performance: power consumption speed (no. of block-cipher invocations, latency) implementation cost (e.g., hardware “real-estate’’) simplicity single key specifications (e.g., simple operations) same basic structure for - authenticated encryption - ciphertext authentication (two-pass, two keys) - plaintext authentication (MAC) usability in different environments various keying-state protection mechanisms needed availability of random number generators, error recovery (ECC, no recovery vs. partial recovery)

5 Operational Characteristics of Modes State: stateless, stateful-sender, stateful Degree of parallelism none (sequential) interleaved (known/negotiated no. of processing units for parallel operation) architecture-independent independent of no. of processing units same overhead for parallel, pipelined or sequential operation out-of-order processing, incremental Error recovery interleaving provides some support on a per-segment basis Separation of Confidentiality and Integrity protection (e.g., two-pass, two keys) Padding avoid added block-cipher invocation if message length is a multiple no. of blocks. avoid added latency (1 block-cipher invocation) caused by “ciphertext stealing”

6 Examples of State Characteristics of a Mode Stateless - needs good, secure source of randomness per message - no state to maintain across messages (other than key) - Execution:  n+3 block cipher invocations; - Latency:  2 block cipher invocations in parallel execution Stateful Sender - state (e.g., message counter) maintained by sender - protection of sender state (e.g., counter integrity) across messages - Execution: n+2 block cipher invocations - Latency: 2 block cipher invocations in parallel execution Stateful - state : shared variables (other than key) - protection of state secrecy, integrity across messages - more susceptible to failures, intrusion - Execution: n+1 block cipher invocations- - Latency:  1 block cipher invocation in parallel execution robustness increase speed increase

7 x1x1 x2x2 x3x3 x4x4. K x =. E1E1 E2E2 E3E3 E4E4. E5E5... y2y2 y3y3 y4y4 y = y1y1 y5y5. MDC(x)... x5x5 IND-CPA Secure Mode z1z1 z2z2 z3z3 z4z4 z5z5 Sender Initialization FKFK... Receiver Initialization 3. Authenticated Encryption Modes op 1. IND-CPA secure mode: processes block x i, 1  i  n+1, and inputs result to block cipher F K 2. “op” has an inverse “op -1 ” 3. Elements E i are unpredictable, 1  i  n+1, and E p i op -1 E q j are unpredictable, where (p, i)  (q, j) messages p,q are encrypted with same key K. Unpredictable vector z 0

8 z1z1 z2z2 z3z3 z4z4 K’ z =.. IND-CPA Secure Mode w1w1 w2w2 w3w3 w4w4 Sender Initialization FKFK... Receiver Initialization Motivation for Confidentiality-Centric View w z 1 z 2 z 3 z 4 Observation (1998): secure message authentication modes (in chosen message attacks) can be obtained from certain IND-CPA secure modes Implication: same mode structure can be used for (1) authenticated encryption (one pass, single cryptographic primitive) (2) ciphertext authentication (two-pass, single cryptographic primitive, two-key separation of confidentiality and integrity) (3) plaintext authentication (MAC) Implementation: with only little added control logic we get (1), (2) and (3)

9. K Random-number generator r0r0. y0y0 FKFK. IND-CPA mode stateless mode r0r0 ctr ctr’ = ctr+1 FKFK K... IND-CPA mode E i = i x r 0 ctr stateful-sender mode K. R*, R E i = ctr x R* + i x R R*, R E i = ctr x R* + i x R ctr ctr’ = ctr+1 ctr. stateful mode Examples of Mode Initialization 1  i  n+1 E* n+1 = ctr x R* sender receiver R*, R = random, uniformly distributed, independent l -bit variables E i = i x r 0

10 x 1 x 2 z 1 y 2 x 3 x 4 y 3 y 4 x = y = y 1 z 2 E 1 z 3 z 4 CBC Encrypt with F K E 2 E 3 E 4.. z 5 E 5.. y MDC(x) / z 0 z 0 F K F K K Random-number generator. y 0. r 0. r 0 +c. Stateless XCBC-XOR op MDC = , E i = r 0 x i, op = +, and others; Padding = 10* pattern, use z 0 if padding is needed,  z 0 if padding is not needed Stateful-Sender (e.g., r 0 = F K (ctr)) and Stateful (e.g., per-key shared VI, z 0 = r 0 +VI) XCBC-XOR are also defined Stateless Performance: > n+3 blk. cipher invocations, > 2 blk. cipher invocations latency Stateful-Sender Performance: n+3 blk. cipher invocations, 2 blk. cipher invocations latency Stateful Performance: n+2 blk. cipher invocations, 2 blk. cipher invocations latency

11 x1x1 x2x2 x3x3 x4x4 E1E1 K E2E2 E3E3 E4E4. E*5E*5.. x =. FKFK FKFK FKFK FKFK FKFK K K K K K. E1E1 E2E2 E3E3 E4E4. E5E5... y2y2 y3y3 y4y4 y = y1y1 y5y5. MDC(x)... x5x5 z1z1 z2z2 z3z3 z4z4 z5z5 v1v1 v2v2 v3v3 v4v4 v5v5 ctr ctr x R * ctr. ctr’ = ctr+1 R*R* R. op 1  i  n+1 E i = ctr x R* + i x R E* n+1 = ctr x Z* Stateful XECB-XOR Performance Optimized - n+1 block-cipher invocations -  1 block-cipher latency Padding - Z* =  R* if unpadded - Z* = R* if padded - padding pattern: 10* IND-CPA Secure Mode

12 x1x1 x2x2 x3x3 x4x4 E1E1. K E2E2 E3E3 E4E4. E*5E*5.. x =. Random-number generator r0r0 FKFK FKFK FKFK FKFK FKFK K K K K K. E1E1 E2E2 E3E3 E4E4. E5E5... y2y2 y3y3 y4y4 y = y1y1 y5y5 y0y0 FKFK.. MDC(x)... x5x5 z1z1 z2z2 z3z3 z4z4 z5z5 v1v1 v2v2 v3v3 v4v4 v5v5 op Stateless XECB-XOR MDC = , E i = r 0 x i, E* n+1 = (n+2) x Z*, op = +, and others; Z* =  r 0 or r 0 depending upon padding IND-CPA Secure Mode Stateless Performance: > n+2 blk. cipher invocations, > 2 blk. cipher invocations latency

13 x1x1 x2x2 x3x3 x4x4 E1E1 K E2E2 E3E3 E4E4. E*5E*5.. x =. r0r0 FKFK FKFK FKFK FKFK FKFK K K K K K. E1E1 E2E2 E3E3 E4E4. E5E5... y2y2 y3y3 y4y4 y = y1y1 y5y5.. MDC(x)... x5x5 z1z1 z2z2 z3z3 z4z4 z5z5 v1v1 v2v2 v3v3 v4v4 v5v5 ctr ctr’ = ctr+1 FKFK ctr op Stateful-Sender XECB-XOR MDC = , E i = r 0 x i, E* n+1 = (n+2) x Z*, op = +, and others; Z* =  r 0 or r 0 depending upon padding IND-CPA Secure Mode Stateful-Sender Performance: n+2 blk. cipher invocations, 2 blk. cipher invocations latency

14 x1x1 x2x2 x3x3 x4x4 y1y1 y2y2 y3y3 y4y4 K y’ 5 x5x5 x6x6 x7x7 x8x8 y5y5 y6y6 y7y7 y8y8 K y’ 9 x = x9x9 x 10 x 11 x 12 y9y9 y 10 y 11 y 12 K y’ 13 r 01 r 02 r 03 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 x8x8 x9x9 x 10 x 11 x 12 Plaintext Segment 1 Plaintext Segment 1 Encryption Plaintext Segment 2 Encryption Plaintext Segment 3 Encryption ctr FKFK K. Plaintext Segment 2 Plaintext Segment 3 Ciphertext Segment 1 Ciphertext Segment 2 Ciphertext Segment 3 FKFK K FKFK K ctr ctr+1 ctr+2 ctr y1y1 y2y2 y3y3 y4y4 y’ 5 y5y5 y6y6 y7y7 y8y8 y’ 9 y9y9 y 10 y 11 y 12 y’ 13 y = ctr’ = ctr+3 SEGMENTED Stateful-SenderMode* (*) per-segment error handling => error recovery

15 x 1 x 2 x 3 x 4 w K.. x = R F K F K F K F K K K K K x 1 x 2 x 3 x 4 ctr E 3 E2E2 E1E1 R* ctr ctr’ =ctr+1 R* xctr op Stateful XECB-MAC 1  i  n E i = ctr x Z* + i x R, Performance Optimized - n+1 block-cipher invocations -  1 block-cipher latency Padding - Z* =  R* if unpadded - Z* = R* if padded - padding pattern: 10* E4E4 IND-CPA Secure Mode

16 Cost-performance: stateful XECB-XOR and XECB-MAC are optimal (minimum block cipher invocations and latency); XECB-XOR and XECB-MAC modes exhibit architecture-independent parallelism; XCBC-XOR modes are simple extensions of the standard CBC mode Simplicity: same basic structure for - authenticated encryption - ciphertext authentication (two-pass, two keys) - plaintext authentication (MAC) Usability: stateless, stateful-sender, stateful modes for different environments. Security: good bounds. 4. Conclusions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.