McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

On-Line Authenticated Encryption (OAE) combines privacy with data integrity and is on-line computable. Most block cipher-based schemes for Authenticated Encryption can be run on-line and are provably secure against nonce-respecting adversaries. But they fail badly for more general adversaries. This is not a theoretical observation only --- in practice, the reuse of nonces is a frequent issue. In recent years, cryptographers developed misuse-resistant schemes for Authenticated Encryption. These guarantee excellent security even against general adversaries which are allowed to reuse nonces. Their disadvantage is that encryption can be performed in an off-line way, only. This paper considers OAE schemes dealing both with nonce-respecting and with general adversaries. It introduces McOE, an efficient design for OAE schemes. For this we present in detail one of the family members, McOEx, which is a design solely based on a standard block cipher. As all the other member of the McOE family, it provably guarantees reasonable security against general adversaries as well as standard security against nonce-respecting adversaries.

[1]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[2]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[3]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[4]  Chanathip Namprempre,et al.  Online Ciphers and the Hash-CBC Construction , 2001, CRYPTO.

[5]  Frédéric Valette,et al.  On the Security of the CCM Encryption Mode and of a Slight Variant , 2008, ACNS.

[6]  Tetsu Iwata,et al.  Authenticated Encryption Mode for Beyond the Birthday Bound Security , 2008, AFRICACRYPT.

[7]  Henri Gilbert,et al.  Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings , 2010, EUROCRYPT.

[8]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[9]  Pil Joong Lee,et al.  Advances in Cryptology — ASIACRYPT 2001 , 2001, Lecture Notes in Computer Science.

[10]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[11]  Joan Daemen,et al.  Cipher and hash function design strategies based on linear and differential cryptanalysis , 1995 .

[12]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[13]  Virgil D. Gligor,et al.  Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes , 2001, FSE.

[14]  Tetsu Iwata,et al.  New Blockcipher Modes of Operation with Beyond the Birthday Bound Security , 2006, FSE.

[15]  Jonathan Katz,et al.  Incremental Unforgeable Encryption , 2001, FSE.

[16]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[17]  Stefan Lucks Ciphers Secure against Related-Key Attacks , 2004, FSE.

[18]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[19]  Mihir Bellare,et al.  Code-Based Game-Playing Proofs and the Security of Triple Encryption , 2004, IACR Cryptol. ePrint Arch..

[20]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[21]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[22]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[23]  Mihir Bellare,et al.  The EAX Mode of Operation , 2004, FSE.

[24]  Michael E. Kounavis,et al.  Efficient implementation of the Galois Counter Mode using a carry-less multiplier and a fast reduction algorithm , 2010, Inf. Process. Lett..

[25]  Tadayoshi Kohno,et al.  Attacking and repairing the winZip encryption scheme , 2004, CCS '04.

[26]  Anne Canteaut,et al.  Progress in Cryptology - INDOCRYPT 2004, 5th International Conference on Cryptology in India, Chennai, India, December 20-22, 2004, Proceedings , 2004, INDOCRYPT.

[27]  Aggelos Kiayias,et al.  Topics in Cryptology - CT-RSA 2011 - The Cryptographers' Track at the RSA Conference 2011, San Francisco, CA, USA, February 14-18, 2011. Proceedings , 2011, CT-RSA.

[28]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[29]  Kan Yasuda,et al.  HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption , 2009, FSE.

[30]  Haibin Zhang,et al.  Online Ciphers from Tweakable Blockciphers , 2011, CT-RSA.

[31]  Serge Vaudenay Progress in Cryptology - AFRICACRYPT 2008, First International Conference on Cryptology in Africa, Casablanca, Morocco, June 11-14, 2008. Proceedings , 2008, AFRICACRYPT.

[32]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[33]  Stefan Lucks Two-Pass Authenticated Encryption Faster Than Generic Composition , 2005, FSE.

[34]  Chanathip Namprempre,et al.  On-line Ciphers and the Hash-CBC Constructions , 2012, Journal of Cryptology.

[35]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[36]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[37]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[38]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[39]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[40]  Stefan Lucks,et al.  McOE: A Foolproof On-Line Authenticated Encryption Scheme , 2011, IACR Cryptol. ePrint Arch..

[41]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[42]  Charanjit S. Jutla,et al.  Encryption Modes with Almost Free Message Integrity , 2001, Journal of Cryptology.

[43]  Hongjun Wu The Misuse of RC4 in Microsoft Word and Excel , 2005, IACR Cryptol. ePrint Arch..

[44]  Kan Yasuda,et al.  BTM: A Single-Key, Inverse-Cipher-Free Mode for Deterministic Authenticated Encryption , 2009, Selected Areas in Cryptography.

[45]  Morris Dworkin,et al.  Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality , 2003 .

[46]  Kenneth G. Paterson,et al.  Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR , 2010, IACR Cryptol. ePrint Arch..

[47]  John Black,et al.  On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions , 2005, EUROCRYPT.

[48]  Phillip Rogaway,et al.  The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[49]  David A. Wagner,et al.  Intercepting mobile communications: the insecurity of 802.11 , 2001, MobiCom '01.

[50]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[51]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[52]  Tadayoshi Kohno,et al.  CWC: A High-Performance Conventional Authenticated Encryption Mode , 2004, FSE.