Authenticated encryption: how reordering can impact performance

In this work, we look at authenticated encryption schemes from a new perspective. As opposed to focusing solely on the “security” implications of the different methods for constructing authenticated encryption schemes, we investigate the effect of the method used to construct an authenticated encryption scheme on the “performance” of the construction. We show that, as opposed to the current NIST standard, by performing the authentication operation before the encryption operation, the computational efficiency of the construction can be increased, without affecting the security of the overall construction. In fact, we show that the proposed construction is even more secure than standard authentication based on universal hashing in the sense that the hashing key is resilient to key recovery attacks.

[1]  Larry Carter,et al.  Universal classes of hash functions (Extended Abstract) , 1977, STOC '77.

[2]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[3]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[4]  Kenneth G. Paterson,et al.  On the (in)security of IPsec in MAC-then-encrypt configurations , 2010, CCS '10.

[5]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[6]  Hugo Krawczyk,et al.  MMH: Software Message Authentication in the Gbit/Second Rates , 1997, FSE.

[7]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[8]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[9]  Basel Alomair,et al.  The power of primes: security of authentication based on a universal hash-function family , 2010, J. Math. Cryptol..

[10]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[11]  Stelvio Cimato,et al.  Encyclopedia of Cryptography and Security , 2005 .

[12]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[13]  Bart Preneel,et al.  Differential-Linear Attacks Against the Stream Cipher Phelix , 2007, FSE.

[14]  Bart Preneel,et al.  Near Optimal Algorithms for Solving Differential Equations of Addition with Batch Queries , 2005, INDOCRYPT.

[15]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[16]  Frédéric Muller Differential Attacks against the Helix Stream Cipher , 2004, FSE.

[17]  Basel Alomair,et al.  $\mathcal{E}$ -MACs: Towards More Secure and More Efficient Constructions of Secure Channels , 2010, ICISC.

[18]  Basel Alomair,et al.  Efficient Authentication for Mobile and Pervasive Computing , 2010, IEEE Transactions on Mobile Computing.

[19]  Peng Wang,et al.  Cryptanalysis of the OKH Authenticated Encryption Scheme , 2013, ISPEC.

[20]  Gene Tsudik Message authentication with one-way hash functions , 1992, CCRV.

[21]  Jongsung Kim,et al.  HIGHT: A New Block Cipher Suitable for Low-Resource Device , 2006, CHES.

[22]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[23]  Mihir Bellare,et al.  The EAX Mode of Operation , 2004, FSE.

[24]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[25]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[26]  Anne Canteaut,et al.  PRINCE - A Low-latency Block Cipher for Pervasive Computing Applications (Full version) , 2012, IACR Cryptol. ePrint Arch..

[27]  Wenling Wu,et al.  LBlock: A Lightweight Block Cipher , 2011, ACNS.

[28]  Basel Alomair,et al.  Authenticated Encryption: How Reordering Can Impact Performance , 2012, ACNS.

[29]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[30]  Phillip Rogaway Bucket Hashing and its Application to Fast Message Authentication , 1995, CRYPTO.

[31]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[32]  Christof Paar,et al.  Pushing the Limits: A Very Compact and a Threshold Implementation of AES , 2011, EUROCRYPT.

[33]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[34]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[35]  Mihir Bellare,et al.  XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions , 1995, CRYPTO.

[36]  Daniel J. Bernstein,et al.  FLOATING-POINT ARITHMETIC AND MESSAGE AUTHENTICATION , 2000 .

[37]  Bart Preneel,et al.  Solving Systems of Differential Equations of Addition , 2005, ACISP.

[38]  Bruce Schneier,et al.  Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive , 2003, FSE.

[39]  Joos Vandewalle,et al.  Fast Hashing on the Pentium , 1996, CRYPTO.

[40]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[41]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[42]  Charanjit S. Jutla,et al.  Encryption Modes with Almost Free Message Integrity , 2001, Journal of Cryptology.

[43]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[44]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[45]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[46]  Christof Paar,et al.  New Lightweight DES Variants , 2007, FSE.

[47]  Basel Alomair,et al.  Universal Hash-Function Families: From Hashing to Authentication , 2014, AFRICACRYPT.

[48]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[49]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[50]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[51]  Bart Preneel,et al.  Software Performance of Universal Hash Functions , 1999, EUROCRYPT.

[52]  Christian Gehrmann,et al.  Fast Message Authentication Using Efficient Polynomial Evaluation , 1997, FSE.

[53]  Tadayoshi Kohno,et al.  CWC: A High-Performance Conventional Authenticated Encryption Mode , 2004, FSE.

[54]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[55]  Larry Carter,et al.  New classes and applications of hash functions , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[56]  Jean-Pierre Tignol,et al.  Galois' theory of algebraic equations , 1988 .

[57]  Victor Shoup,et al.  On Fast and Provably Secure Message Authentication Based on Universal Hashing , 1996, CRYPTO.

[58]  Sarvar Patel,et al.  SQUARE HASH: Fast Message Authenication via Optimized Universal Hash Functions , 1999, CRYPTO.

[59]  Virgil D. Gligor,et al.  Integrity-Aware PCBC Encryption Schemes , 1999, Security Protocols Workshop.

[60]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[61]  Virgil D. Gligor,et al.  Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes , 2001, FSE.

[62]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[63]  Ueli Maurer,et al.  On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption , 2010, CCS '10.

[64]  Hugo Krawczyk,et al.  New Hash Functions For Message Authentication , 1995, EUROCRYPT.

[65]  S. Kyoji,et al.  Piccolo: An Ultra-Lightweight Blockcipher , 2011 .

[66]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[67]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[68]  Bart Preneel,et al.  Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms , 2008, CRYPTO.

[69]  Thomas Johansson,et al.  Bucket Hashing with a Small Key Size , 1997, EUROCRYPT.

[70]  Douglas R. Stinson,et al.  Universal hashing and authentication codes , 1991, Des. Codes Cryptogr..

[71]  Naganand Doraswamy,et al.  Ipsec: the new security standard for the internet , 1999 .

[72]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.