Succinctly Committing Authenticated Encryption

succinctly committing authenticated encryption n.w
1 / 24
Embed
Share

"Exploring the necessity of privacy and authenticity in symmetric encryption and the importance of committing security in encryption protocols. Discusses current landscape, challenges, and implications of attacks on encryption integrity."

  • Encryption
  • Security
  • Privacy
  • Authenticity
  • Cryptography
rayaanacharya
anam_733 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Succinctly-Committing Authenticated Encryption Viet Tung Hoang Florida State University Mihir Bellare University of California San Diego CRYPTO 2024 August 22, 2024 1

  2. What Should Symmetric Encryption Provide? Many attacks on Classical encryption Authenticated encryption TLS, WEP, IPSec Example: CBC, CTR Example: GCM, OCB, CCM Provide privacy only Provide privacy and authenticity Recent attacks show that privacy and auth are not enough Shadowsocks Amazon Cloud encryption Subscribe with Google Message franking Tunnel proxy pw-based key exchange 2

  3. What We Need: Committing Security Many definitions [GH03,ABN10, FOR17, GLR17,ADG+22, MLGR23, BH22, CR22] Optimally strong and simple Intuition: It s hard to produce a ciphertext collision Enc Enc C Standard schemes (GCM, CCM, ChaCha20/Poly1305) are all broken [GLR17, MLGR23] 3

  4. The Current Landscape of Committing AE Committing security (bits) Goal CTX [CR22] libsodium 128 96 96 Padding fix [ADG+22] Padding fix [ADG+22] 64 [BH22] Want: 80-bit security (preferably 128-bit), as attacks here are offline GCM 0 Expansion |C| - |M| 48B 16B 32B 4

  5. Why Should We Care? Having 32B Expansion is Undesirable Legacy software Real-time app Commonly 10B tags Energy-constrained device [Struik13]: Short tags save energy 16B tags are ubiquitous 5

  6. The Goal Seems Impossible At The First Glance Even for empty message Birthday attack on committing security: Enc Enc Enc Collison? Implication: For -bit expansion, can have at best /2 bits of committing security 6

  7. Implication of The Birthday Attack Committing security (bits) [NSS24]: Bypass impossibility by assuming msg has enough redundancy that is known to encryption libsodium Goal 128 CTX [CR22] Can t get here unconditionally Padding fix [ADG+22] 64 [BH22] GCM 0 Expansion 48B 32B 16B 7

  8. Our Work: Achieve Goal for General Messages What birthday attack actually means: for 128-bit committing security What prior work implicitly assume: Expansion must be a constant for all message length 8

  9. Bypassing Impossibility: Variable Expansion Expansion 32B The eventual expansion is 16B 16B 0 Message length 16B 9

  10. Todays Roadmap 1. Achieve 128-bit committing security faster than CTX [CR22] CTY transform Committing AE Standard AE (32B expansion) Optimal overhead: Hash(K, N, A) Tag-based schemes (like GCM or CCM) 2. Shorten ciphertext but still preserve committing strength SC transform Committing AE Succinctly (32B expansion) Committing AE Two AES-256 calls 16B expansion for Need stronger auth message 16B (that is met by CTY) 10

  11. Achieving Committing AE (With 32B Expansion) Warmup: The CTX Transform [CR22] K N A M Enc Standard AE T C H Issue: AD is processed twice 11

  12. Improving CTX: Our Transform CTY K N A M N Empty AD K Enc Standard AE T C H Optimal overhead: hashing AD is inherent for committing security 12

  13. Small Change But Appreciable Difference Intel Xeon Gold 6240 5B AD Overhead on GCM (%) 300 250 CTX 200 CTY 150 100 50 0 16B 32B 64B 128B 256B 512B 1KB 2KB 4KB 13

  14. A Stepping Stone for Succinctly-Committing AE Invertible PRF (IPF) That is Also Collision-Resistant C M M C Want: - PRF security - Collision resistance: Hard to find and such that 14

  15. Why Would Collision-Resistant IPF Help? Collision-Resistant IPF (with proper domain and range) is an easier version of Succinctly-Committing AE committing Collision-Resistant IPF Succinctly Committing AE No nonce and AD N Enc A C C M K M Short, say 0B 16B arbitrary constant size, say 15

  16. How To Use Collision-Resistant IPF The Shortening-Ciphertext (SC) Transform Message M S P Key Collision-resistant Enc IPF Committing AE of 32B tag C T R 32B Expansion , which is 16B for messages at least 16B 16

  17. SC Preserves Committing Security of Base AE Message M S P Key Collision-resistant Enc IPF Committing AE of 32B tag C T R Theorem: For any adversary A, can build adversaries B and D such that 17

  18. Why SC Preserves Committing Security Message M S P Commit via AE C S T Commit via IPF C R 18

  19. How To Build A (Collision-Resistant) IPF? IPF is a special case of Pseudorandom Injection, another characterization of Misuse-resistant AE [RS06] Two existing paradigms to build IPF Encode-then-Encipher (EtE) SIV pad M M PRF IV-based Enc IV Blockcipher 19

  20. Collision-Resistant IPF Via EtE Paradigm 0-16B Theorem: For an adversary A making qideal-cipher queries, M BlockcipherK Can be instantiated from Rijndael-256 C 32B 20

  21. Collision-Resistant IPF Via SIV Paradigm The Hash-then-Mask (HtM) Construction The conceptual view of HtM 128 bits pad M pad M EK T Instantiate hash functions T via (truncated) Davies-Meyer X Instantiate E from AES 21

  22. Collision-Resistant IPF Via SIV Paradigm The Hash-then-Mask (HtM) Construction The conceptual view of HtM 128 bits Build H and G on top of n-bit blockcipher E pad M Theorem: For adversary A making q ideal-cipher queries T X 22

  23. Intuition for Strong Collision Resistance of HtM There s a circularity between M and T M mask Can produce a tag collision with birthday Hash Hash attack, but ciphertextswon t match derive Proof is very complex due to out-of-order T and backward queries Approach: - Use a tedious case study of how adversary makes queries - Apply concentration bounds from ball-into-bin analyses 23

  24. Its Time To Have Committing AE Standard? Many apps need committing security but each has its own (suboptimal) scheme This won t happen if we have committing AE standards. Our schemes offer a good starting choice SC CTY Committing AE Succinctly Standard AE (32B expansion) Committing AE cheap optimal 24

Related


Public key encryption, Digital signature and authentication

Public key encryption, Digital signature and authentication

huda
AES Encryption Algorithm and Its Implementation

AES Encryption Algorithm and Its Implementation

danger
Introduction to SFTP & PGP Encryption for Secure Data Transfer

Introduction to SFTP & PGP Encryption for Secure Data Transfer

bunty
AES Encryption in Computer Engineering

AES Encryption in Computer Engineering

lavinia
Columnar Transposition Cipher: Data Encryption Techniques at Mustansiriyah University Engineering College

Columnar Transposition Cipher: Data Encryption Techniques at Mustansiriyah University Engineering College

remiel
ADFGVX Cipher: Encryption and Decryption Techniques

ADFGVX Cipher: Encryption and Decryption Techniques

scarlett
Security with Functional Re-Encryption in Cryptography

Security with Functional Re-Encryption in Cryptography

persis
Security and Privacy in 3G/4G/5G Networks: The AKA Protocol

Security and Privacy in 3G/4G/5G Networks: The AKA Protocol

muey769
Probabilistic Public Key Encryption with Equality Test Overview

Probabilistic Public Key Encryption with Equality Test Overview

keos443
Overview of SMX Algorithm and AES Encryption Standard

Overview of SMX Algorithm and AES Encryption Standard

nmag
The Vital Role of Encryption in Safeguarding the Digital Economy

The Vital Role of Encryption in Safeguarding the Digital Economy

dsega
Cryptography Concepts and Encryption Methods Overview

Cryptography Concepts and Encryption Methods Overview

tming
Encryption: Keys, Algorithms, and Applications

Encryption: Keys, Algorithms, and Applications

yoha_481
Homomorphic Encryption Overview

Homomorphic Encryption Overview

kol_ba
Bootstrapping in Fully Homomorphic Encryption

Bootstrapping in Fully Homomorphic Encryption

elaysia
Homomorphic Encryption and RLWE Schemes Overview

Homomorphic Encryption and RLWE Schemes Overview

galletta_n
Unidirectional Updatable Encryption and Proxy Re-Encryption

Unidirectional Updatable Encryption and Proxy Re-Encryption

sbly
Implementing Informix Encryption at Rest

Implementing Informix Encryption at Rest

ifriz
Advances in Authenticated Garbling for Secure 2PC

Advances in Authenticated Garbling for Secure 2PC

cmelo
Email Security and Encryption Technologies Overview

Email Security and Encryption Technologies Overview

cincereva
RSA Public-key Cryptography in Data Encryption

RSA Public-key Cryptography in Data Encryption

vshen
RSA Encryption for Secure Communication

RSA Encryption for Secure Communication

adahn

More Related Content