Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The XCBC-XOR, XECB-XOR and XECB-MAC Modes Virgil D. GligorPompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland 20815 {gligor,

Published byWinfred Virgil Foster Modified over 9 years ago

Similar presentations

Presentation on theme: "1 The XCBC-XOR, XECB-XOR and XECB-MAC Modes Virgil D. GligorPompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland 20815 {gligor,"— Presentation transcript:

1 1 The XCBC-XOR, XECB-XOR and XECB-MAC Modes Virgil D. GligorPompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland 20815 {gligor, pompiliu}@eng.umd.edu August 24, 2001

2 2 Outline 1. Security Claims 2. Operational Claims 3. Examples: XCBC-XOR, XECB-XOR, XECB-MAC modes 4. Conclusions

3 3 1. Security Claims for Authenticated Encryption 1. Security Claim = a security notion supported by a mode or scheme of encryption 2. Secrecy Notion = 3. Integrity (Authenticity) Notion = < Existential Forgery protection, (adaptive) Chosen Plaintext Attacks>

4 4 2. Operational Claims for Modes of Encryption Operational Notion = Operational Goals: cost-performance, simplicity, usability cost-performance: power consumption speed (no. of block-cipher invocations, latency) implementation cost (e.g., hardware “real-estate’’) simplicity single key specifications (e.g., simple operations) same basic structure for - authenticated encryption - ciphertext authentication (two-pass, two keys) - plaintext authentication (MAC) usability in different environments various keying-state protection mechanisms needed availability of random number generators, error recovery (ECC, no recovery vs. partial recovery)

5 5 Operational Characteristics of Modes State: stateless, stateful-sender, stateful Degree of parallelism none (sequential) interleaved (known/negotiated no. of processing units for parallel operation) architecture-independent independent of no. of processing units same overhead for parallel, pipelined or sequential operation out-of-order processing, incremental Error recovery interleaving provides some support on a per-segment basis Separation of Confidentiality and Integrity protection (e.g., two-pass, two keys) Padding avoid added block-cipher invocation if message length is a multiple no. of blocks. avoid added latency (1 block-cipher invocation) caused by “ciphertext stealing”

6 6 Examples of State Characteristics of a Mode Stateless - needs good, secure source of randomness per message - no state to maintain across messages (other than key) - Execution:  n+3 block cipher invocations; - Latency:  2 block cipher invocations in parallel execution Stateful Sender - state (e.g., message counter) maintained by sender - protection of sender state (e.g., counter integrity) across messages - Execution: n+2 block cipher invocations - Latency: 2 block cipher invocations in parallel execution Stateful - state : shared variables (other than key) - protection of state secrecy, integrity across messages - more susceptible to failures, intrusion - Execution: n+1 block cipher invocations- - Latency:  1 block cipher invocation in parallel execution robustness increase speed increase

7 7 x1x1 x2x2 x3x3 x4x4. K x =. E1E1 E2E2 E3E3 E4E4. E5E5... y2y2 y3y3 y4y4 y = y1y1 y5y5. MDC(x)... x5x5 IND-CPA Secure Mode z1z1 z2z2 z3z3 z4z4 z5z5 Sender Initialization FKFK... Receiver Initialization 3. Authenticated Encryption Modes op 1. IND-CPA secure mode: processes block x i, 1  i  n+1, and inputs result to block cipher F K 2. “op” has an inverse “op -1 ” 3. Elements E i are unpredictable, 1  i  n+1, and E p i op -1 E q j are unpredictable, where (p, i)  (q, j) messages p,q are encrypted with same key K. Unpredictable vector z 0

8 8 z1z1 z2z2 z3z3 z4z4 K’ z =.. IND-CPA Secure Mode w1w1 w2w2 w3w3 w4w4 Sender Initialization FKFK... Receiver Initialization Motivation for Confidentiality-Centric View w z 1 z 2 z 3 z 4 Observation (1998): secure message authentication modes (in chosen message attacks) can be obtained from certain IND-CPA secure modes Implication: same mode structure can be used for (1) authenticated encryption (one pass, single cryptographic primitive) (2) ciphertext authentication (two-pass, single cryptographic primitive, two-key separation of confidentiality and integrity) (3) plaintext authentication (MAC) Implementation: with only little added control logic we get (1), (2) and (3)

9 9. K Random-number generator r0r0. y0y0 FKFK. IND-CPA mode stateless mode r0r0 ctr ctr’ = ctr+1 FKFK K... IND-CPA mode E i = i x r 0 ctr stateful-sender mode K. R*, R E i = ctr x R* + i x R R*, R E i = ctr x R* + i x R ctr ctr’ = ctr+1 ctr. stateful mode Examples of Mode Initialization 1  i  n+1 E* n+1 = ctr x R* sender receiver R*, R = random, uniformly distributed, independent l -bit variables E i = i x r 0

10 10 x 1 x 2 z 1 y 2 x 3 x 4 y 3 y 4 x = y = y 1 z 2 E 1 z 3 z 4 CBC Encrypt with F K E 2 E 3 E 4.. z 5 E 5.. y 5.... MDC(x) / z 0 z 0 F K F K K Random-number generator. y 0. r 0. r 0 +c. Stateless XCBC-XOR op MDC = , E i = r 0 x i, op = +, and others; Padding = 10* pattern, use z 0 if padding is needed,  z 0 if padding is not needed Stateful-Sender (e.g., r 0 = F K (ctr)) and Stateful (e.g., per-key shared VI, z 0 = r 0 +VI) XCBC-XOR are also defined Stateless Performance: > n+3 blk. cipher invocations, > 2 blk. cipher invocations latency Stateful-Sender Performance: n+3 blk. cipher invocations, 2 blk. cipher invocations latency Stateful Performance: n+2 blk. cipher invocations, 2 blk. cipher invocations latency

11 11 x1x1 x2x2 x3x3 x4x4 E1E1 K E2E2 E3E3 E4E4. E*5E*5.. x =. FKFK FKFK FKFK FKFK FKFK K K K K K. E1E1 E2E2 E3E3 E4E4. E5E5... y2y2 y3y3 y4y4 y = y1y1 y5y5. MDC(x)... x5x5 z1z1 z2z2 z3z3 z4z4 z5z5 v1v1 v2v2 v3v3 v4v4 v5v5 ctr ctr x R * ctr. ctr’ = ctr+1 R*R* R. op 1  i  n+1 E i = ctr x R* + i x R E* n+1 = ctr x Z* Stateful XECB-XOR Performance Optimized - n+1 block-cipher invocations -  1 block-cipher latency Padding - Z* =  R* if unpadded - Z* = R* if padded - padding pattern: 10* IND-CPA Secure Mode

12 12 x1x1 x2x2 x3x3 x4x4 E1E1. K E2E2 E3E3 E4E4. E*5E*5.. x =. Random-number generator r0r0 FKFK FKFK FKFK FKFK FKFK K K K K K. E1E1 E2E2 E3E3 E4E4. E5E5... y2y2 y3y3 y4y4 y = y1y1 y5y5 y0y0 FKFK.. MDC(x)... x5x5 z1z1 z2z2 z3z3 z4z4 z5z5 v1v1 v2v2 v3v3 v4v4 v5v5 op Stateless XECB-XOR MDC = , E i = r 0 x i, E* n+1 = (n+2) x Z*, op = +, and others; Z* =  r 0 or r 0 depending upon padding IND-CPA Secure Mode Stateless Performance: > n+2 blk. cipher invocations, > 2 blk. cipher invocations latency

13 13 x1x1 x2x2 x3x3 x4x4 E1E1 K E2E2 E3E3 E4E4. E*5E*5.. x =. r0r0 FKFK FKFK FKFK FKFK FKFK K K K K K. E1E1 E2E2 E3E3 E4E4. E5E5... y2y2 y3y3 y4y4 y = y1y1 y5y5.. MDC(x)... x5x5 z1z1 z2z2 z3z3 z4z4 z5z5 v1v1 v2v2 v3v3 v4v4 v5v5 ctr ctr’ = ctr+1 FKFK ctr op Stateful-Sender XECB-XOR MDC = , E i = r 0 x i, E* n+1 = (n+2) x Z*, op = +, and others; Z* =  r 0 or r 0 depending upon padding IND-CPA Secure Mode Stateful-Sender Performance: n+2 blk. cipher invocations, 2 blk. cipher invocations latency

14 14 x1x1 x2x2 x3x3 x4x4 y1y1 y2y2 y3y3 y4y4 K y’ 5 x5x5 x6x6 x7x7 x8x8 y5y5 y6y6 y7y7 y8y8 K y’ 9 x = x9x9 x 10 x 11 x 12 y9y9 y 10 y 11 y 12 K y’ 13 r 01 r 02 r 03 x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 x8x8 x9x9 x 10 x 11 x 12 Plaintext Segment 1 Plaintext Segment 1 Encryption Plaintext Segment 2 Encryption Plaintext Segment 3 Encryption ctr FKFK K. Plaintext Segment 2 Plaintext Segment 3 Ciphertext Segment 1 Ciphertext Segment 2 Ciphertext Segment 3 FKFK K FKFK K ctr ctr+1 ctr+2 ctr y1y1 y2y2 y3y3 y4y4 y’ 5 y5y5 y6y6 y7y7 y8y8 y’ 9 y9y9 y 10 y 11 y 12 y’ 13 y = ctr’ = ctr+3 SEGMENTED Stateful-SenderMode* (*) per-segment error handling => error recovery

15 15 x 1 x 2 x 3 x 4 w K.. x = R F K F K F K F K K K K K x 1 x 2 x 3 x 4 ctr E 3 E2E2 E1E1 R*....... ctr ctr’ =ctr+1 R* xctr op Stateful XECB-MAC 1  i  n E i = ctr x Z* + i x R, Performance Optimized - n+1 block-cipher invocations -  1 block-cipher latency Padding - Z* =  R* if unpadded - Z* = R* if padded - padding pattern: 10* E4E4 IND-CPA Secure Mode

16 16 Cost-performance: stateful XECB-XOR and XECB-MAC are optimal (minimum block cipher invocations and latency); XECB-XOR and XECB-MAC modes exhibit architecture-independent parallelism; XCBC-XOR modes are simple extensions of the standard CBC mode Simplicity: same basic structure for - authenticated encryption - ciphertext authentication (two-pass, two keys) - plaintext authentication (MAC) Usability: stateless, stateful-sender, stateful modes for different environments. Security: good bounds. 4. Conclusions

Download ppt "1 The XCBC-XOR, XECB-XOR and XECB-MAC Modes Virgil D. GligorPompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland 20815 {gligor,"

Similar presentations

ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,

Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.

Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.

Stream cipher diagram + + Recall: One-time pad in Chap. 2.
1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.

1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Encryption Schemes Second Pass Brice Toth 21 November 2001.

Encryption Schemes Second Pass Brice Toth 21 November 2001.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Block Cipher Transmission Modes CSCI 5857: Encoding and Encryption.

Block Cipher Transmission Modes CSCI 5857: Encoding and Encryption.
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.

Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.

Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.

Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
1 TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Hai Yan Computer Science & Engineering University of Connecticut.

1 TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Hai Yan Computer Science & Engineering University of Connecticut.

Similar presentations

Ads by Google