Abstract: We present a bitsliced implementation of AES encryption in counter mode for 64-bit Intel processors. Running at 7.59 cycles/byte on a Core 2, it is up to 25% faster than previous implementations, while simultaneously offering protection against timing attacks. In particular, it is the only cache-timing-attack resistant implementation offering competitive speeds for stream as well as for packet encryption: for 576-byte packets, we improve performance over previous bitsliced implementations by more than a factor of 2. We also report more than 30% improved speeds for lookup-table based Galois/Counter mode authentication, achieving 10.68 cycles/byte for authenticated encryption. Furthermore, we present the first constant-time implementation of AES-GCM that has a reasonable speed of 21.99 cycles/byte, thus offering a full suite of timing-analysis resistant software for authenticated encryption.

Abstract: We present a bitsliced implementation of AES encryption in counter mode for 64-bit Intel processors. Running at 7.59 cycles/byte on a Core 2, it is up to 25% faster than previous implementations, while simultaneously offering protection against timing attacks. In particular, it is the only cache-timing-attack resistant implementation offering competitive speeds for stream as well as for packet encryption: for 576-byte packets, we improve performance over previous bitsliced implementations by more than a factor of 2. We also report more than 30% improved speeds for lookup-table based Galois/Counter mode authentication, achieving 10.68 cycles/byte for authenticated encryption. Furthermore, we present the first constant-time implementation of AES-GCM that has a reasonable speed of 21.99 cycles/byte, thus offering a full suite of timing-analysis resistant software for authenticated encryption.

Abstract: We propose the HBS (Hash Block Stealing) mode of operation. This is the first single-key mode that provably achieves the goal of providing deterministic authenticated encryption. The authentication part of HBS utilizes a newly-developed, vector-input polynomial hash function. The encryption part uses a blockcipher-based, counter-like mode. These two parts are combined in such a way as the numbers of finite-field multiplications and blockcipher calls are minimized. Specifically, for a header of h blocks and a message of m blocks, the HBS algorithm requires just h + m + 2 multiplications in the finite field and m + 2 calls to the blockcipher. Although the HBS algorithm is fairly simple, its security proof is rather complicated.

Abstract: We present a new blockcipher mode of operation named BTM, which stands for Bivariate Tag Mixing. BTM falls into the category of Deterministic Authenticated Encryption, which we call DAE for short. BTM makes all-around improvements over the previous two DAE constructions, SIV (Eurocrypt 2006) and HBS (FSE 2009). Specifically, our BTM requires just one blockcipher key, whereas SIV requires two. Our BTM does not require the decryption algorithm of the underlying blockcipher, whereas HBS does. The BTM mode utilizes bivariate polynomial hashing for authentication, which enables us to handle vectorial inputs of dynamic dimensions. BTM then generates an initial value for its counter mode of encryption by mixing the resulting tag with one of the two variables (hash keys), which avoids the need for an implementation of the inverse cipher.

Abstract: In cryptology, secure channels enable the exchange of messages in a confidential and authenticated manner. The literature of cryptology is rich with proposals and analysis that address the secure communication over public (insecure) channels. In this work, we propose an informa- tion theoretically secure direction for the construction of secure channels. First, we propose a method of achieving unconditionally secure authentication with half the amount of key material required by traditional unconditionally secure message authentication codes (MACs). Key reduc- tion is achieved by utilizing the special structure of the authenticated encryption system. That is, authentication exploits the secrecy of the message to reduce the key material required for authen- tication. After the description of our method, since key material is the most important concern in unconditionally secure authentication, given the message is encrypted with a perfectly secret one-time pad cipher, we extend our method to achieve unconditionally secure authentication with almost free key material. That is, we propose a method for unconditionally authenticating arbi- trarily long messages with much shorter keys. Finally, we will show how the special structure of the authenticated encryption systems can be exploited to achieve provably secure authentication that is very efficient for the authentication of short messages.

Abstract: A convertible authenticated encryption scheme allows a designated receiver to retrieve an authenticated ciphertext and convert the authenticated ciphertext into an ordinary signature. The receiver ...

Abstract: This paper considers the construction and analysis of pseudo-random functions (PRFs) with specific reference to modes of operations of a block cipher. In the context of message authentication codes (MACs), earlier independent work by Bernstein and Vaudenay show how to reduce the analysis of relevant PRFs to some probability calculations. In the first part of the paper, we revisit this result and use it to prove a general result on constructions which use a PRF with a “small” domain to build a PRF with a “large” domain. This result is used to analyse two new parallelizable PRFs which are suitable for use as MAC schemes. The first scheme, called iPMAC, is based on a block cipher and improves upon the well-known PMAC algorithm. The improvements consist in faster masking operations and the removal of a design stage discrete logarithm computation. The second scheme, called VPMAC, uses a keyed compression function rather than a block cipher. The only previously known compression function based parallelizable PRF is called the protected counter sum (PCS) and is due to Bernstein. VPMAC improves upon PCS by requiring lesser number of calls to the compression function. The second part of the paper takes a new look at the construction and analysis of modes of operations for authenticated encryption (AE) and for authenticated encryption with associated data (AEAD). Usually, the most complicated part in the security analysis of such modes is the analysis of authentication security. Previous work by Liskov, Rivest and Wagner and later Rogaway had suggested that this analysis is simplified by using a primitive called a tweakable block cipher (TBC). In contrast, we take a direct approach. We prove a general result which shows that the authentication security of an AE scheme can be proved from the privacy of the scheme and by showing a certain associated function to be a PRF. Two new AE schemes PAE and PAE-1 are described and analysed using this approach. In particular, it is shown that the authentication security of PAE follows easily from the security of iPMAC. As a result, no separate extensive analysis of the authentication security of PAE is required. An AEAD scheme can be obtained by combining an AE scheme and an authentication scheme and it has been suggested earlier that a TBC based approach simplifies the analysis. Again, in contrast to the TBC based approach, we take a direct approach based on a simple masking strategy. Our idea uses double encryption of a fixed string and achieves the same effect of mask separation as in the TBC based approach. Using this idea, two new AEAD schemes PAEAD and PAEAD-1 are described. An important application of AEAD schemes is in the encryption of IP packets. The new schemes offer certain advantages over previously well known schemes such as the offset codebook (OCB) mode. These improvements include providing a wider variety of easily reconfigurable family of schemes, a small speed-up, a smaller size decryption algorithm for hardware implementation and uniform processing of only full-block messages.

Abstract: For most basic cryptographic tasks, such as public key encryption, digital signatures, authentication, key exchange, and many other more sophisticated tasks, ideal functionalities have been formulated in the simulation-based security approach, along with their realizations. Surprisingly, however, no such functionality exists for symmetric encryption, except for a more abstract DolevYao style functionality. In this paper, we fill this gap. We propose two functionalities for symmetric encryption, an unauthenticated and an authenticated version, and show that they can be implemented based on standard cryptographic assumptions for symmetric encryption schemes, namely IND-CCA security and authenticated encryption, respectively. We also illustrate the usefulness of our functionalities in applications, both in simulation-based and game-based security settings.

Abstract: A convertible authenticated encryption (CAE) scheme is a better way to simultaneously provide cryptographic schemes with the properties of confidentiality, authenticity and non-repudiation. The authors propose a RSA based secure CAE scheme which is different from previously proposed ones based on the discrete logarithms or elliptic curve discrete logarithms. The proposed scheme has the nice arbitration mechanism allowing the designated recipient to convert the authenticated ciphertext into an ordinary signature without any extra computation efforts or communication overheads for the public arbitration. Additionally, the security requirement of confidentiality against adaptive chosen ciphertext attacks (IND-CCA2) and that of unforgeability against existential forgery on adaptive chosen-message attacks (EU-CMA2) are proved in the random oracle model.

Abstract: GMAC (Galois Message Authentication Code) is a special case of authenticated encryption mode GCM (Galois/Counter Mode) when it acts as a stand-alone MAC. As the hash function of GMAC, Ghash is based on the GF (2 128 ) multiplier. It is the algebraic properties of Ghash that support incremental authentication of GMAC. In this paper, an efficient hardware implementation on Xilinx Virtex 5 FPGA platform, in terms of performance, of Ghash core is presented. The proposed hardware implementation has been thoroughly tested using commercial simulation tools ModelSim and its functionality has been verified. The synthesis results show that this efficient implementation of Ghash core does not introduce extra design complexity and has high throughput, which is up to 15.382 Gbps, and it can meet the requirement of GMAC for high-speed and highly efficient authentication.

Abstract: Denial of Service (DoS) attacks are serious threats for network societies. For dealing with DoS attacks, Jakobsson and Juels first proposed the notion of useful client puzzles (UCPs) which simultaneously decrease servers' burden and increase clients'. In ACM CCS'04, Diament, Lee, Keromytis, and Yung introduced the decryption-based UCPs. In this paper, we give a general framework for constructing such UCPs which is based on identity-based cryptography along with well-analyzed symmetric key authenticated encryption techniques (without random oracles). By using this framework, we can flexibly construct various UCPs according to different types of system requirements. We also give some instantiations: the first is a UCP based on the Boneh-Boyen Identity based encryption scheme, with provable security in the standard model. Another one is a UCP based on the Boneh-Gentry-Hamburg identity-based encryption scheme, which doesn't require pairings.

Abstract: This paper describes an extension of XEX* mode, which is a method to convert a block cipher into a tagged tweakable block cipher, a notion introduced by Rogaway in 2004 as an extension of the tweakable block cipher by Liskov et al. Our extension attaches an additional encryption function to the original XEX*, which has some limitation but is slightly faster than the encryption implemented by XEX*. We prove our scheme's security in a general form, where the offset function, a key component of our construction, is not restricted to the one used by XEX*. We also provide some applications of our result, in particular to OCB 2.0, an authenticated encryption based on XEX*.

Abstract: In Blockwise On-line Encryption, encryption and decryption return an output block as soon as the next input block is received In this paper, we introduce Authenticated Streamwise Online Encryption (ASOE), which operates on plaintexts and ciphertexts as streams of arbitrary length (as opposed to fixed-sized blocks), and thus significantly reduces message expansion and end-to-end latency Also,ASOE provides data authenticity as an option ASOE can therefore be used to eciently secure resource-constrained communications with real-time requirements such as those in the electric power grid and wireless sensor networks We investigate and formalizeASOE’s strongest achievable notion of security, and present a construction that is secure under that notion An instantiation of our construction incurs zero end-to-end latency due to buering and only 48 bytes of message expansion, regardless of the plaintext-size

Abstract: We address the practice of key-wrapping, where one symmetric cryptographic key is used to encrypt another. This practice is used extensively in key-management architectures, often to create an "adapter layer" between incompatible legacy systems. Although in principle any secure encryption scheme can be used for key wrapping, practical constraints (which are commonplace when dealing with legacy systems) may severely limit the possible implementations, sometimes to the point of ruling out any "secure general-purpose encryption." It is therefore desirable to identify the security requirements that are "really needed" for the key-wrapping application, and have a large variety of implementations that satisfy these requirements. This approach was developed in a work by Rogaway and Shrimpton at EUROCRYPT 2006. They focused on allowing deterministic encryption, and defined a notion of deterministic authenticated encryption (DAE), which roughly formalizes "the strongest security that one can get without randomness." Although DAE is weaker than full blown authenticated encryption, it seems to suffice for the case of key wrapping (since keys are random and therefore the encryption itself can be deterministic). Rogaway and Shrimpton also described a mode of operation for block ciphers (called SIV) that realizes this notion. We continue in the direction initiated by Rogaway and Shirmpton. We first observe that the notion of DAE still rules out many practical and "seemingly secure" implementations. We thus look for even weaker notions of security that may still suffice. Specifically we consider notions that mirror the usual security requirements for symmetric encryption, except that the inputs to be encrypted are random rather than adversarially chosen. These notions are all strictly weaker than DAE, yet we argue that they suffice for most applications of key wrapping. As for implementations, we consider the key-wrapping notion that mirrors authenticated encryption, and investigate a template of Hash-then-Encrypt (HtE), which seems practically appealing: In this method the key is first "hashed" into a short nonce, and then the nonce and key are encrypted using some standard encryption mode. We consider a wide array of "hash functions", ranging from a simple XOR to collision-resistant hashing, and examine what "hash function" can be used with what encryption mode.

Abstract: Secure communications in the context of civil space missions gained a major attention in the last few years, mainly thanks to the activities promoted in this field by the Consultative Committee for Space Data Systems. Risk analyses performed by several space agencies have provided indications of the impact of different security threats on several categories of space missions. As a result, to ensure a minimum level of security, at least Telecommand authentication should be applied to all missions. Besides standard and well known algorithms, alternative authentication solutions are to be considered, and tested for possible adoption in the space context, in order to provide a scalable and flexible authentication framework. To this aim, this paper focuses on some Authenticated Encryption with Associated Data techniques, and on their thorough evaluation by a detailed model of the space Telecommand channel and protocol stack, in order to achieve an optimal selection for application in the real space communication environment.

Abstract: This Thesis will analyze the standard 16191 published by the IEEE The aim of this standard is to provide authenticated encryption to stored data with AES algorithm working in XTS mode XTS-AES is a 128-bit block cipher characterized by the use of two AES encryptions with two different keys of the same size, tweak values to add uncertainty to cipher data, (2128) Galois fields and The Ciphertext Stealing technique for data units not perfectly divisible into 128-bit blocks There is no unanimous agreement about the profits of this standard so various aspects such as the use of two different keys, implementation in other areas or the support of the storage industry will be a source of controversy Some commercial software and hardware that implement XTS-AES encryption mode will be presented and used to test and analyze the security properties presented by the standard IEEE 16191 Keywords AES, XTS, Tweak values, Ciphertext Stealing, XTS-AES Comments

Abstract: Security is one of the major issue for the Ubiquitous Sensor Networks’ (USNs) applications. The evolution of Ubiquitous sensor networks provides a unique solution for many ubiquitous information services. Apparently, it challenges the data security and secrecy due to its hostile deployment which is not robust to physical attacks from restricted sources. In order to resolve, the security issue that are duly required in sensor networks ,the cryptography protocol is implemented at sensor nodes for node-to-node encryption, considering the data redundancy, energy constraint and security requirement. In this paper, we analysis a secure data aggregation scheme and compare its performance with upgraded results of secure protocol called Dragon-Mac [8], which supports node-to-node encryption using Dragon algorithm [3] based on secrecy methods in sensor networks. This procedure utilizes the entity verification and message authentication through the performance of authenticated encryption scheme in Telos B [11] wireless sensor nodes.

Abstract: Authenticated Encryption (AE) is the cryptographic process of providing simultaneous confidentiality and integrity protection to messages. AE is potentially more efficient than applying a two-step process of providing confidentiality for a message by encrypting the message and in a separate pass, providing integrity protection by generating a Message Authentication Code (MAC) tag. This paper presents results on the analysis of three AE stream ciphers submitted to the recently completed eSTREAM competition. We classify the ciphers based on the methods the ciphers use to provide authenticated encryption and discuss possible methods for mounting attacks on these ciphers.

Abstract: Wireless Sensor Networks are gaining popularity due their wide spread application areas especially military, biomedical and cooperate sectors. Secure and authentic data exchange for sensitive and critical applications is a basic need. European Union's project eSTREAM ciphers have identified set of software implement-able stream ciphers with efficiency and security comparable to AES. Integration of an authentication mechanism with these software implement able stream ciphers remained an open challenge. Situation is further aggravated once target application platform is resource constrained in terms of energy, processing power and memory as in the case of WSNs. In this research work we have analyzed known authenticated encryption mechanisms using eSTREAM ciphers and their implementation in resource limited WSN environment.

Abstract: TLS specification versions 1.0 (RFC 2246) and 1.1 (RFC 4346) included cipher suites based on DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES (when used in single-DES mode) and IDEA are no longer recommended for general use in TLS, and have been removed from TLS 1.2 main specification (RFC NNNN). This document specifies these cipher suites for completeness, and discusses reasons why their use is no longer recommended.

Abstract: To protect hard disk data confidentiality and integrity, AEIVV associates one unique IV with each disk sector; then, it applies authenticated encryption of AES-CCM to the protected sector and constructs hash tree upon IV storage. Through assuring IV to be trusted or un-tampered, data can be protected firmly. To make it an available way for disk protection, various optimizing measures are applied to quicken the running speed. With the emphasis of reducing extra latencies caused by protection, IV/MAC storage is allocated using interlaced layout to decrease seek time of disk I/O, IV checking penalty is reduced by buffering the frequently used hash tree nodes and IV/MAC values. Related approaches are elaborated, as well as experimental results. It shows that AEIVV is a practical and available way to build secure disk.

Abstract: An image forming system and a security printing method of the image forming system. The security printing method of the image forming system may include receiving print data in an image forming apparatus, determining whether the received print data includes an authenticated encryption code, and if it is determined that the print data does not include the authenticated encryption code, forming an image to include an image to indicate that the print may not be a print by security print. The security printing method have an advantage of performing a print operation to print data authenticated by a host device with no security application or even in print performance by Direct Printing, with strengthened security.

Abstract: Confidentiality and integrity are two main objectives of security systems and the literature of cryptography is rich with proposed techniques to achieve them. To satisfy the requirements of a wide range of applications, a variety of techniques with different properties and performances have appeared in the literature. In this work, we address the problem of confidentiality and integrity in communications over public channels. We propose an unconditionally secure authenticated encryption that requires shorter key material than current state of the art. By combining properties of the integer field Zp with the fact that the message to be authenticated is unknown to adversaries (encrypted), message integrity is achieved using a single modular multiplication. Against an adversary equipped with a single antenna, the adversary’s probability of modifying a valid message in a way undetected by the intended receiver can be made an absolute zero. After the description of the basic scheme and its detailed security analysis are completed, we describe an extension to the main scheme that can substantially reduce the required amount of key material.

Abstract: This document specifies algorithms for authenticated encryption with additional authenticated data (AEAD) that are based on the composition of the Advanced Encryption Standard (AES) in the Cipher Block Chaining (CBC) mode of operation for encryption, and the HMAC- SHA1 message authentication code (MAC). It also separately defines a generic composition method that can be used with other MACs and randomized ciphers (that is, ciphers that use random initialization vectors). These algorithms are randomized, and thus are suitable for use with applications that cannot provide distinct nonces to each invocation of the AEAD encrypt operation.

Abstract: In many practical applications of information security,an authenticated-encryption scheme is often constructed by appropriately combining an encryption scheme and a message authentication code.Using this scheme,the same message must be deal with in two-pass,not only using two keys,but also having low efficiency.Based on CBC mode,we propose a new one-pass authenticated encryption mode OXCBC,which provides privacy and authenticity simultaneously.OXCBC uses only one key and a nonce and is more efficient than other one-pass authenticated encryption schemes.We prove OXCBC secure,quantifying the adversary's ability to violate the mode's authenticity in terms of the quality of its block cipher as a strong PRP.