1 / 16

The XCBC-XOR, XECB-XOR and XECB-MAC Modes

The XCBC-XOR, XECB-XOR and XECB-MAC Modes. Virgil D. Gligor Pompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland 20815 {gligor, pompiliu}@eng.umd.edu August 24, 2001. Outline 1. Security Claims 2. Operational Claims 3. Examples: XCBC-XOR, XECB-XOR, XECB-MAC modes

richard-jefferson
Download Presentation

The XCBC-XOR, XECB-XOR and XECB-MAC Modes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The XCBC-XOR, XECB-XOR and XECB-MAC Modes Virgil D. Gligor Pompiliu Donescu VDG Inc 6009 Brookside Drive Chevy Chase, Maryland 20815 {gligor, pompiliu}@eng.umd.edu August 24, 2001

  2. Outline 1. Security Claims 2. Operational Claims 3. Examples: XCBC-XOR, XECB-XOR, XECB-MAC modes 4. Conclusions

  3. 1. Security Claims for Authenticated Encryption 1. Security Claim = a security notion supported by a mode or scheme of encryption 2. Secrecy Notion= < Indistinguishability, adaptive Chosen Plaintext Attacks> 3. Integrity (Authenticity) Notion = < Existential Forgery protection, (adaptive) Chosen Plaintext Attacks>

  4. 2. Operational Claims for Modes of Encryption • Operational Notion= < operational goal, mode characteristics > • Operational Goals: cost-performance, simplicity, usability • cost-performance: • power consumption • speed (no. of block-cipher invocations, latency) • implementation cost (e.g., hardware “real-estate’’) • simplicity • single key • specifications (e.g., simple operations) • same basic structure for • - authenticated encryption • - ciphertext authentication (two-pass, two keys) • - plaintext authentication (MAC) • usability in different environments • various keying-state protection mechanisms needed • availability of random number generators, • error recovery (ECC, no recovery vs. partial recovery)

  5. Operational Characteristics of Modes • State: stateless, stateful-sender, stateful • Degree of parallelism • none (sequential) • interleaved (known/negotiated no. of processing units for parallel operation) • architecture-independent • independent of no. of processing units • same overhead for parallel, pipelined or sequential operation • out-of-order processing, incremental • Error recovery • interleaving provides some support on a per-segment basis • Separation of Confidentiality and Integrity protection (e.g., two-pass, two keys) • Padding • avoid added block-cipher invocation ifmessage length is a multiple no. of blocks. • avoid added latency (1 block-cipher invocation) caused by “ciphertext stealing”

  6. Examples of State Characteristics of a Mode Stateless - needs good, secure source of randomness per message - no state to maintain across messages (other than key) - Execution:  n+3 block cipher invocations; - Latency:  2 block cipher invocations in parallel execution Stateful Sender - state (e.g., message counter) maintained by sender - protection of sender state (e.g., counter integrity) across messages - Execution: n+2 block cipher invocations - Latency: 2 block cipher invocations in parallel execution speed increase robustness increase Stateful - state : shared variables (other than key) - protection of state secrecy, integrity across messages - more susceptible to failures, intrusion - Execution: n+1block cipher invocations - - Latency:  1 block cipher invocation in parallel execution

  7. 3. Authenticated Encryption Modes Unpredictable vector z0 Sender Initialization x = x3 x2 x4 x1 . . . . MDC(x) x5 . IND-CPA Secure Mode . . . . . . FK K z4 z5 z2 z3 z1 . op E1 . op . E2 op . E3 op . E4 op E5 y2 y3 y = y1 y4 y5 Receiver Initialization 1. IND-CPA secure mode: processes block xi, 1  i  n+1, and inputs result to block cipher FK 2. “op” has an inverse “op-1” 3. Elements Ei are unpredictable, 1  i  n+1, and Epi op-1 Eqjare unpredictable, where (p, i)  (q, j) messages p,q are encrypted with same key K.

  8. Motivation for Confidentiality-Centric View Sender Initialization . z = z3 z2 z4 z1 . IND-CPA Secure Mode . . . . . . FK K’ w4 w2 w3 w1 Receiver Initialization w z z z z 2 3 4 1 Observation (1998): secure message authentication modes (in chosen message attacks) can be obtained from certain IND-CPA secure modes Implication: same mode structure can be used for (1) authenticated encryption (one pass, single cryptographic primitive) (2) ciphertext authentication (two-pass, single cryptographic primitive, two-key separation of confidentiality and integrity) (3) plaintext authentication (MAC) Implementation: with only little added control logic we get (1), (2) and (3)

  9. Examples of Mode Initialization stateful mode stateful-sender mode stateless mode . ctr ctr Random-number generator ctr’ = ctr+1 ctr’ = ctr+1 FK Ei = ctr x R* + i x R R*, R r0 1  i  n+1 r0 E*n+1 = ctr x R* . IND-CPA mode sender . IND-CPA mode . . . K . K K Ei = i x r0 . Ei = i x r0 receiver sender sender FK 1  i  n+1 ctr Ei = ctr x R* + i x R R*, R receiver receiver y0 ctr E*n+1 = ctr x R* R*, R = random, uniformly distributed, independent l-bit variables

  10. Stateless XCBC-XOR Random-number generator r x x x x x = 0 4 2 3 1 . . . MDC(x) . / z z 0 0 CBC Encrypt with FK . F K z z z z z r +c 4 5 2 3 1 0 . . op E . 1 op E . . 2 op E . K 3 op E F . 4 K op E 5 y y y y y y y = 0 2 3 1 4 5 Stateful-Sender (e.g., r0 = FK(ctr)) and Stateful (e.g., per-key shared VI, z0 = r0+VI) XCBC-XOR are also defined Stateless Performance: > n+3 blk. cipher invocations, > 2 blk. cipher invocations latency Stateful-Sender Performance: n+3 blk. cipher invocations, 2 blk. cipher invocations latency Stateful Performance: n+2 blk. cipher invocations, 2 blk. cipher invocations latency MDC = , Ei = r0 x i, op = +, and others; Padding = 10* pattern, use z0 if padding is needed, z0 if padding is not needed

  11. Stateful XECB-XOR ctr . ctr’ = ctr+1 x = x3 x2 x4 x1 ctr x R* R* . . . MDC(x) . x5 IND-CPA Secure Mode op . E1 . op . E2 . op . E3 op R E4 . op E*5 v4 v5 v2 v3 v1 FK FK FK FK FK K K K K K K z4 z5 z2 z3 z1 op . E1 op . E2 op . E3 op . E4 op E5 y = y2 y3 y1 y4 y5 ctr Padding - Z* = R* if unpadded - Z* = R* if padded - padding pattern: 10* Performance Optimized - n+1 block-cipher invocations -  1 block-cipher latency Ei = ctr x R* + i x R 1  i  n+1 E*n+1 = ctr x Z*

  12. Stateless XECB-XOR Random-number generator r0 x = x3 x2 x4 x1 . . . MDC(x) . x5 IND-CPA Secure Mode op . E1 . op . E2 op . E3 op E4 . op E*5 v4 v5 v2 v3 v1 . FK FK FK FK FK K K K K K K z4 z5 z2 z3 z1 . op . E1 op . E2 op . E3 op FK E4 . op E5 y = y0 y2 y3 y1 y4 y5 Stateless Performance: > n+2 blk. cipher invocations, > 2 blk. cipher invocations latency MDC = , Ei = r0 x i, E*n+1 = (n+2) x Z*, op = +, and others; Z* =  r0or r0 depending upon padding

  13. Stateful-Sender XECB-XOR ctr ctr’ = ctr+1 FK x = x3 x2 x4 x1 r0 . . . MDC(x) . x5 IND-CPA Secure Mode op . E1 . op . E2 op . E3 op E4 . op E*5 v4 v5 v2 v3 v1 . FK FK FK FK FK K K K K K K z4 z5 z2 z3 z1 op . E1 op . E2 op . E3 op . E4 op E5 y = y2 y3 y1 y4 y5 ctr Stateful-Sender Performance: n+2 blk. cipher invocations, 2 blk. cipher invocations latency MDC = , Ei = r0 x i, E*n+1 = (n+2) x Z*, op = +, and others; Z* =  r0or r0 depending upon padding

  14. SEGMENTED Stateful-SenderMode* x = x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 Plaintext Segment 2 Plaintext Segment 1 Plaintext Segment 3 ctr ctr ctr+2 ctr+1 K . FK K FK FK K x1 x3 x4 x2 r01 x5 x7 x8 x9 x11 x12 x6 x10 r02 r03 Plaintext Segment 1 Encryption Plaintext Segment 3 Encryption Plaintext Segment 2 Encryption K K K y4 y1 y3 y2 y’5 y8 y12 y5 y7 y9 y11 y6 y’9 y10 y’13 Ciphertext Segment 1 Ciphertext Segment 3 Ciphertext Segment 2 y1 y2 y3 y4 y’5 y5 y6 y7 y8 y’9 y9 y10 y11 y12 y’13 y = ctr ctr’ = ctr+3 (*) per-segment error handling => error recovery

  15. Stateful XECB-MAC R R* ctr x x x x . x = 4 3 2 ctr’ = ctr +1 1 R* x ctr IND-CPA Secure Mode . E1 . op . E2 op . . op . E3 . op E4 . F F F F K K K K K K K K K w ctr x x x x 2 3 4 1 Padding - Z* = R* if unpadded - Z* = R* if padded - padding pattern: 10* Performance Optimized - n+1 block-cipher invocations -  1 block-cipher latency Ei = ctr x Z* + i x R, 1  i  n

  16. 4. Conclusions • Cost-performance: • stateful XECB-XOR and XECB-MAC are optimal (minimum block cipher invocations and latency); • XECB-XOR and XECB-MAC modes exhibit architecture-independent parallelism; • XCBC-XOR modes are simple extensions of the standard CBC mode • Simplicity: • same basic structure for • - authenticated encryption • - ciphertext authentication (two-pass, two keys) • - plaintext authentication (MAC) • Usability: • stateless, stateful-sender, stateful modes for different environments. • Security: • good bounds.

More Related