Automated Analysis and Synthesis of Authenticated Encryption Schemes

Authenticated encryption (AE) schemes are symmetric-key encryption schemes ensuring strong notions of confidentiality and integrity. Although various AE schemes are known, there remains significant interest in developing schemes that are more efficient, meet even stronger security notions (e.g., misuse-resistance), or satisfy certain non-cryptographic properties (e.g., being patent-free). We present an automated approach for analyzing and synthesizing blockcipher-based AE schemes, significantly extending prior work by Malozemoff et al. (CSF 2014) who synthesize encryption schemes satisfying confidentiality only. Our main insight is to restrict attention to a certain class of schemes that is expressive enough to capture several known constructions yet also admits automated reasoning about security. We use our approach to generate thousands of AE schemes with provable security guarantees, both known (e.g., variants of OCB and CCM) and new. Implementing two of these new schemes, we find their performance competitive with state-of-the-art AE schemes.

[1]  Stefan Lucks,et al.  McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[2]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[3]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[4]  Kan Yasuda,et al.  BTM: A Single-Key, Inverse-Cipher-Free Mode for Deterministic Authenticated Encryption , 2009, Selected Areas in Cryptography.

[5]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[6]  Phillip Rogaway,et al.  The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[7]  Tetsu Iwata,et al.  Breaking and Repairing GCM Security Proofs , 2012, IACR Cryptol. ePrint Arch..

[8]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[9]  Matthew Green,et al.  Machine-generated algorithms, proofs and software for the batch verification of digital signature schemes , 2012, J. Comput. Secur..

[10]  Kazuhiko Minematsu,et al.  Parallelizable Rate-1 Authenticated Encryption from Pseudorandom Functions , 2014, EUROCRYPT.

[11]  Morris Dworkin,et al.  Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality , 2003 .

[12]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, Journal of Cryptology.

[13]  Andrey Bogdanov,et al.  Parallelizable and Authenticated Online Ciphers , 2013, IACR Cryptol. ePrint Arch..

[14]  Mehdi Tibouchi,et al.  Strongly-Optimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds , 2015, Public Key Cryptography.

[15]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[16]  Morris J. Dworkin SP 800-38C. Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality , 2004 .

[17]  Benjamin Grégoire,et al.  Fully automated analysis of padding-based encryption in the computational model , 2013, CCS.

[18]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[19]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[20]  Gilles Barthe,et al.  Automated Analysis of Cryptographic Assumptions in Generic Group Models , 2014, IACR Cryptol. ePrint Arch..

[21]  Ashish Tiwari,et al.  Program Synthesis Using Dual Interpretation , 2015, CADE.

[22]  Alex J. Malozemoff,et al.  Automated Analysis and Synthesis of Block-Cipher Modes of Operation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[23]  Virgil D. Gligor,et al.  Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes , 2001, FSE.

[24]  Matthew Green,et al.  Using SMT solvers to automate design tasks for encryption and signature schemes , 2013, CCS.

[25]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.