Robust Authenticated-Encryption AEZ and the Problem That It Solves

With a scheme for robust authenticated-encryption a user can select an arbitrary value \(\lambda \!\ge 0\) and then encrypt a plaintext of any length into a ciphertext that’s \(\lambda \) characters longer. The scheme must provide all the privacy and authenticity possible for the requested \(\lambda \). We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call prove-then-prune: prove security and then instantiate with a scaled-down primitive (e.g., reducing rounds for blockcipher calls).

[1]  Sarvar Patel,et al.  Efficient Constructions of Variable-Input-Length Block Ciphers , 2004, Selected Areas in Cryptography.

[2]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[3]  M. Bellare,et al.  The FFX Mode of Operation for Format-Preserving Encryption Draft 1 . 1 , 2010 .

[4]  Jacques Patarin,et al.  Increasing Block Sizes Using Feistel Networks: The Example of the AES , 2012, Cryptography and Security.

[5]  Kenneth G. Paterson,et al.  On Symmetric Encryption with Distinguishable Decryption Failures , 2013, FSE.

[6]  Chanathip Namprempre,et al.  Online Ciphers and the Hash-CBC Construction , 2001, CRYPTO.

[7]  R. A. Fisher,et al.  Statistical Tables for Biological, Agricultural and Medical Research , 1956 .

[8]  Palash Sarkar,et al.  A New Mode of Encryption Providing a Tweakable Strong Pseudo-random Permutation , 2006, FSE.

[9]  Sacramento State,et al.  AEZ v1.1: Authenticated-Encryption by Enciphering , 2014 .

[10]  Palash Sarkar,et al.  HCH: A New Tweakable Enciphering Scheme Using the Hash-Counter-Hash Approach , 2008, IEEE Transactions on Information Theory.

[11]  Mridul Nandi Improving upon HCTR and matching attacks for Hash-Counter-Hash approach , 2008, IACR Cryptol. ePrint Arch..

[12]  Antoine Joux,et al.  Authenticated On-Line Encryption , 2003, Selected Areas in Cryptography.

[13]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[14]  Jacques Patarin,et al.  Security of balanced and unbalanced Feistel Schemes with Linear Non Equalities , 2010, IACR Cryptol. ePrint Arch..

[15]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[16]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[17]  Johan Hstad,et al.  Construction of a pseudo-random generator from any one-way function , 1989 .

[18]  Hugo Krawczyk,et al.  Leftover Hash Lemma, Revisited , 2011, IACR Cryptol. ePrint Arch..

[19]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[20]  Stefan Lucks,et al.  McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[21]  Andrey Bogdanov,et al.  How to Securely Release Unverified Plaintext in Authenticated Encryption , 2014, ASIACRYPT.

[22]  Jacques Patarin,et al.  Generic Attacks on Feistel Schemes , 2001, ASIACRYPT.

[23]  Morris Dworkin 800-38 G Recommendation for Block Cipher Modes of Operation : Methods for Format-Preserving Encryption , 2013 .

[24]  Palash Sarkar,et al.  HCH: A New Tweakable Enciphering Scheme Using the Hash-Encrypt-Hash Approach , 2006, INDOCRYPT.

[25]  Moni Naor,et al.  On the Construction of Pseudorandom Permutations: Luby—Rackoff Revisited , 1996, Journal of Cryptology.

[26]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[27]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[28]  Peng Wang,et al.  Security of Truncated MACs , 2008, Inscrypt.

[29]  Andrey Bogdanov,et al.  Parallelizable and Authenticated Online Ciphers , 2013, IACR Cryptol. ePrint Arch..

[30]  John Black,et al.  MAC Reforgeability , 2006, FSE.

[31]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[32]  Shai Halevi,et al.  A Parallelizable Enciphering Mode , 2004, CT-RSA.

[33]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[34]  Mihir Bellare,et al.  On the Construction of Variable-Input-Length Ciphers , 1999, FSE.

[35]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[36]  Vincent Rijmen,et al.  A New MAC Construction ALRED and a Specific Instance ALPHA-MAC , 2005, FSE.

[37]  Scott R. Fluhrer,et al.  The Security of the Extended Codebook (XCB) Mode of Operation , 2007, IACR Cryptol. ePrint Arch..

[38]  Liam Keliher,et al.  Exact maximum expected differential and linear probability for two-round Advanced Encryption Standard , 2007, IET Inf. Secur..

[39]  Palash Sarkar,et al.  Efficient Tweakable Enciphering Schemes From (Block-Wise) Universal Hash Functions , 2009, IEEE Transactions on Information Theory.

[40]  Kazuhiko Minematsu,et al.  Parallelizable Rate-1 Authenticated Encryption from Pseudorandom Functions , 2014, EUROCRYPT.

[41]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[42]  N. Ferguson Authentication weaknesses in GCM , 2005 .

[43]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[44]  Paulo S. L. M. Barreto,et al.  Revisiting the Security of the ALRED Design and Two of Its Variants: Marvin and LetterSoup , 2012, IEEE Transactions on Information Theory.

[45]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[46]  Shai Halevi,et al.  EME*: Extending EME to Handle Arbitrary-Length Messages with Associated Data , 2004, INDOCRYPT.

[47]  Kazuhiko Minematsu,et al.  Provably Secure MACs from Differentially-Uniform Permutations and AES-Based Implementations , 2006, FSE.

[48]  Peng Wang,et al.  HCTR: A Variable-Input-Length Enciphering Mode , 2005, CISC.

[49]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[50]  Mridul Nandi,et al.  An Improved Security Bound for HCTR , 2008, FSE.

[51]  Palash Sarkar Tweakable enciphering schemes using only the encryption function of a block cipher , 2011, Inf. Process. Lett..

[52]  F. Frances Yao,et al.  Design and Analysis of Password-Based Key Derivation Functions , 2005, IEEE Trans. Inf. Theory.

[53]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping , 2012 .

[54]  Jacques Patarin,et al.  Security of Random Feistel Schemes with 5 or More Rounds , 2004, CRYPTO.

[55]  John Black,et al.  Ciphers with Arbitrary Finite Domains , 2002, CT-RSA.

[56]  Paulo S. L. M. Barreto,et al.  The MARVIN message authentication code and the LETTERSOUP authenticated encryption scheme , 2009, Secur. Commun. Networks.

[57]  J. Wishart Statistical tables , 2018, Global Education Monitoring Report.

[58]  Thomas Shrimpton,et al.  A Modular Framework for Building Variable-Input-Length Tweakable Ciphers , 2013, ASIACRYPT.

[59]  Ronald L. Rivest,et al.  Is DES a Pure Cipher? (Results of More Cycling Experiments on DES) , 1985, CRYPTO.

[60]  Phillip Rogaway,et al.  The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[61]  Shai Halevi,et al.  A Tweakable Enciphering Mode , 2003, CRYPTO.

[62]  Palash Sarkar Improving Upon the TET Mode of Operation , 2007, ICISC.

[63]  Vincent Rijmen,et al.  The Pelican MAC Function , 2005, IACR Cryptol. ePrint Arch..

[64]  Shai Halevi,et al.  Invertible Universal Hashing and the TET Encryption Mode , 2007, CRYPTO.