Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem

We give a provable-security treatment for the key-wrap problem, providing definitions, constructions, and proofs. We suggest that key-wrap's goal is security in the sense of deterministic authenticated-encryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipher-based instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IV-based authenticated-encryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuse-resistant AE. We show that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal.

[1]  Morris Dworkin,et al.  Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality , 2003 .

[2]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[3]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[4]  Yevgeniy Dodis,et al.  Entropic Security and the Encryption of High Entropy Messages , 2005, TCC.

[5]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[6]  Mihir Bellare,et al.  The EAX Mode of Operation , 2004, FSE.

[7]  Morris J. Dworkin SP 800-38C. Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality , 2004 .

[8]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[9]  John Black,et al.  CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, Journal of Cryptology.

[10]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[11]  Alexander Russell,et al.  How to fool an unbounded adversary with a short key , 2002, IEEE Transactions on Information Theory.

[12]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[13]  D. McGrew,et al.  The Galois/Counter Mode of Operation (GCM) , 2005 .

[14]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[15]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[16]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[17]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[18]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[19]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, ASIACRYPT.

[20]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[21]  Russ Housley Triple-DES and RC2 Key Wrapping , 2001, RFC.

[22]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[23]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[24]  Mihir Bellare,et al.  Does Encryption with Redundancy Provide Authenticity? , 2001, EUROCRYPT.

[25]  Morris J. Dworkin,et al.  SP 800-38A 2001 edition. Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[26]  Mihir Bellare,et al.  Code-Based Game-Playing Proofs and the Security of Triple Encryption , 2004, IACR Cryptol. ePrint Arch..

[27]  Mihir Bellare,et al.  A concrete security treatment of symmet-ric encryption: Analysis of the DES modes of operation , 1997, FOCS 1997.

[28]  Shai Halevi,et al.  A Tweakable Enciphering Mode , 2003, CRYPTO.

[29]  Tadayoshi Kohno,et al.  CWC: A High-Performance Conventional Authenticated Encryption Mode , 2004, FSE.

[30]  Charanjit S. Jutla,et al.  Encryption Modes with Almost Free Message Integrity , 2001, Journal of Cryptology.

[31]  John Black,et al.  CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, CRYPTO.

[32]  Chanathip Namprempre,et al.  Online Ciphers and the Hash-CBC Construction , 2001, CRYPTO.

[33]  Morris Dworkin Request for Review of Key Wrap Algorithms , 2004, IACR Cryptol. ePrint Arch..

[34]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[35]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[36]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[37]  David Pointcheval,et al.  About the Security of Ciphers (Semantic Security and Pseudo-Random Permutations) , 2004, Selected Areas in Cryptography.

[38]  Stephen M. Matyas Key Handling with Control Vectors , 1991, IBM Syst. J..

[39]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..