#### DMCA

## Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers (2015)

### Citations

744 | How to construct random functions - Goldreich, Goldwasser, et al. - 1986 |

420 | A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation
- Bellare, Desai, et al.
- 1997
(Show Context)
Citation Context ...nnel. In the symmetric key setting, it has long been known how to ensure both of them independently, e.g., starting from a secure block cipher, by using a suitable encryption mode for confidentiality =-=[BDJR97]-=- and a block cipher-based MAC for authenticity [BKR00]. However, how exactly to combine both tools has long been left to the practitioners, leading to major security breaches [Kra01, DR11, AP13]. Some... |

417 |
New Hash Functions and Their Use in Authentication and Set
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...be written PWC[P̃ ](N,A,M) = F P̃ (N)⊕H P̃ (A,M), (11) EPWC[P̃ ](N,A,M) = P̃ 4,0 ( F P̃ (N)⊕H P̃ (A,M) ) , (12) which should make it clear that the PWC construction follows the Wegman-Carter paradigm =-=[WC81]-=- with an additional layer of encryption for EPWC (note that the three sets of tweaks used in F , H, and for the final encryption call are disjoint, so that these three building blocks are independent)... |

239 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...own how to ensure both of them independently, e.g., starting from a secure block cipher, by using a suitable encryption mode for confidentiality [BDJR97] and a block cipher-based MAC for authenticity =-=[BKR00]-=-. However, how exactly to combine both tools has long been left to the practitioners, leading to major security breaches [Kra01, DR11, AP13]. Sometimes, protocol designers even overlooked that authent... |

204 | OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption”, - Rogaway - 2001 |

152 | Tweakable block ciphers
- Liskov, Rivest, et al.
- 2002
(Show Context)
Citation Context ...bringing inherent variability to the primitive (equivalently, a TBC can be seen as a family of block ciphers indexed by the tweak). In the same paper that formalized the corresponding security notion =-=[LRW02]-=-, it was pointed out that a TBC was a very convenient starting point for building various schemes. In particular, for AE schemes, two prominent examples are the sibling modes TAE [LRW02] and ΘCB [KR11... |

151 | The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)", - Krawczyk - 2001 |

88 | On fast and provably secure message authentication based on universal hashing,
- Shoup
- 1996
(Show Context)
Citation Context ...,M), (14) or EPWC′[ρ, P̃ ](N,A,M) = P̃ 4,0 ( ρ(N)⊕H P̃ (A,M) ) , (15) where H is defined by (9) and was shown to be xor-universal in the proof of Theorem 2. The classical result on Wegman-Carter MACs =-=[Sho96]-=- applies (the additional encryption layer for EPWC does not modify it), and gives Pr [ BW3 : Win ] ≤ q|X | . This concludes the proof. 24 Remark 1. While it is in principle possible to save one encryp... |

80 | Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography,” - Bellare, Rogaway - 1998 |

80 | Efficient instantiations of tweakable blockciphers and refinements to modes ocb and pmac.
- Rogaway
- 2004
(Show Context)
Citation Context ...ity level in the real world, one must instantiate the TBC with care. Most existing TBCs are built from conventional block ciphers in a generic way, the prominent example being the XE/XEX construction =-=[Rog04a]-=- which only ensures security up to the birthday bound. Hence, using XE/XEX in our schemes would in a sense waste their nice security promises.5 To remedy this problem, one can use either generic TBC c... |

78 | A block-cipher mode of operation for parallelizable message authentication - Black, Rogaway - 2002 |

75 |
The EAX Mode of Operation.
- Bellare, Rogaway, et al.
- 2004
(Show Context)
Citation Context ...hile confidentiality is only damaged insofar as the adversary can detect whether the same triple of nonce, AD and message values is repeated. Example of schemes achieving this security notion are EAX =-=[BRW04]-=-, SIV [RS06], AEZ [HKR15], or GCM-SIV [GL15]. Because the 1 Similarly, the high-entropy requirement on the IV is hard to meet when no good randomness source is available. 2 MRAE notion cannot be achie... |

71 | The security and performance of the Galois/Counter Mode (GCM) of operation. In:
- McGrew, Viega
- 2005
(Show Context)
Citation Context ...al treatment of these constructions only started around 2000 [BN00, BR00, KY06]. At about the same time, provably secure AE designs started to appear, such as CCM [WHF02], OCB [RBB03, Rog04a], or GCM =-=[MV04]-=-. The CAESAR competition [CAE] for authenticated encryption, started in 2014, recently put this research topic in the limelight. Various AE schemes were proposed, from purely ad-hoc designs to (tweaka... |

68 | Complete characterization of security notions for probabilistic private-key encryption - Katz, Yung - 2000 |

60 | Authenticated-encryption with associated-data.
- Rogaway
- 2002
(Show Context)
Citation Context ...icient and less likely to be incorrectly used. Besides, it has become standard for an AE scheme to have the ability to handle so-called associated data (AD), which are authenticated but not encrypted =-=[Rog02]-=- (such a scheme was for a time called an AEAD scheme, but since this feature is so important in practice, virtually all modern AE schemes provide it; we will only talk of AE in this paper, implicitly ... |

50 | A provable-security treatment of the key-wrap problem.
- Rogaway, Shrimpton
- 2006
(Show Context)
Citation Context ... achieving nonce-misuse resistance, which informally means that the impact on security of a nonce repetition should be as limited as possible. This goal was first put forward by Rogaway and Shrimpton =-=[RS06]-=-, who formalized the notion of misuse-resistant AE (MRAE). For a scheme enjoying this property, authenticity is not harmed by nonce repetitions, while confidentiality is only damaged insofar as the ad... |

45 | On computationally secure authentication tags requiring short secret shared keys. - BRASSARD - 1982 |

39 | Nonce-based symmetric encryption
- Rogaway
- 2004
(Show Context)
Citation Context ... AD and the message length over all queries; – which runs in time at most t. 4 The CTRT Encryption Mode 4.1 Syntax and Security of nivE Schemes Most existing encryption schemes are either nonce-based =-=[Rog04b]-=- or IV-based [BDJR97], i.e., they employ an externally provided value which either should not repeat (nonce), or should be selected uniformly at random (IV). (See also [NRS14].) Here, we introduce the... |

35 | The software performance of authenticated-encryption modes. In: Fast Software Encryption,
- Krovetz, Rogaway
- 2011
(Show Context)
Citation Context ...RW02], it was pointed out that a TBC was a very convenient starting point for building various schemes. In particular, for AE schemes, two prominent examples are the sibling modes TAE [LRW02] and ΘCB =-=[KR11]-=- (the TBC-based generalization of OCB). They have “perfect” security in the sense that, when used with an ideal TBC, the advantage of any adversary is zero against confidentiality and close to 2−τ aga... |

34 | Lucky thirteen: Breaking the TLS and DTLS record protocols. - AlFardan, Paterson - 2013 |

34 |
Security flaws induced by CBC padding - applications to SSL
- Vaudenay
- 2002
(Show Context)
Citation Context ...or security breaches [Kra01, DR11, AP13]. Sometimes, protocol designers even overlooked that authenticity was a necessary requirement besides confidentiality, as exemplified by padding oracle attacks =-=[Vau02]-=-. Even when the combination of the encryption and the MAC schemes is properly done, it might not be the most efficient solution, especially when the two parts rely on two different primitives. For the... |

20 |
Competition for authenticated encryption: Security, applicability, and robustness
- CAESAR
- 2014
(Show Context)
Citation Context ...ions only started around 2000 [BN00, BR00, KY06]. At about the same time, provably secure AE designs started to appear, such as CCM [WHF02], OCB [RBB03, Rog04a], or GCM [MV04]. The CAESAR competition =-=[CAE]-=- for authenticated encryption, started in 2014, recently put this research topic in the limelight. Various AE schemes were proposed, from purely ad-hoc designs to (tweakable) block cipher operating mo... |

19 | A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP!PRF conversion
- Bellare, Impagliazzo
- 1999
(Show Context)
Citation Context ... a random function ρ : {0, 1}n → {0, 1}n within q queries has an advantage upper bounded by q3/22n−1 (see also [CLP14]). Better bounds were proposed in three different papers: Bellare and Impagliazzo =-=[BI99]-=- proved that the advantage is upper bounded by O(n)(q/2n)1.5, while Patarin proved in two different ways [Pat08a, Pat13] an upper bound O(q/2n). However, in all three cases the exact O(·) function was... |

19 | J.P.: Tight security bounds for key-alternating ciphers
- Chen, Steinberger
- 2014
(Show Context)
Citation Context ...the tweak T appears as a counter when encrypting the queries of the adversary. Clearly, one has∑ T∈T L(T ) = σ. (3) The proof relies on the fundamental lemma of the H-coefficients technique (see e.g. =-=[CS14]-=- for the proof). Lemma 1. Assume that the set of A-attainable transcripts is partitioned into two disjoint sets GoodT and BadT, and that there exists ε1 and ε2 such that for any τ ∈ GoodT, one has Pr ... |

19 | S.: McOE: A family of almost foolproof on-line authenticated encryption schemes
- Fleischmann, Forler, et al.
(Show Context)
Citation Context ...eet when no good randomness source is available. 2 MRAE notion cannot be achieved for an online scheme (since each bit of the ciphertext must depend on every bit of the plaintext), Fleischmann et al. =-=[FFL12]-=- proposed a relaxation of the MRAE notion called online AE (OAE), which can be achieved with a single pass on the input. Examples of schemes ensuring this security property are McOE [FFL12], COPA [ABL... |

16 | The sum of PRPs is a secure PRF
- Lucks
- 2000
(Show Context)
Citation Context ...random function F applied to the nonce N . This pseudorandom function is constructed from Ẽ by summing two independent pseudorandom permutations in order to obtain security beyond the birthday bound =-=[Luc00]-=-. The EPWC construction is simply PWC with an additional layer of encryption to provide nonce-misuse resistance. Before stating and proving the security results for (E)PWC, we focus on how to obtain t... |

13 | Robust authenticated-encryption AEZ and the problem that it solves.
- HOANG, KROVETZ, et al.
- 2015
(Show Context)
Citation Context ...nly damaged insofar as the adversary can detect whether the same triple of nonce, AD and message values is repeated. Example of schemes achieving this security notion are EAX [BRW04], SIV [RS06], AEZ =-=[HKR15]-=-, or GCM-SIV [GL15]. Because the 1 Similarly, the high-entropy requirement on the IV is hard to meet when no good randomness source is available. 2 MRAE notion cannot be achieved for an online scheme ... |

12 | The ?coefficients h? technique - Patarin - 2009 |

11 | New Blockcipher Modes of Operation with Beyond the Birthday - Iwata - 2006 |

11 | Beyond-birthday-bound security based on tweakable block cipher - Minematsu |

10 | R.S.: Tweakable blockciphers with beyond birthday-bound security - Landecker, Shrimpton, et al. - 2012 |

9 |
Here come the ⊕ Ninjas. Unpublished manuscript,
- DUONG, RIZZO
- 2011
(Show Context)
Citation Context ...tion has been recently reduced by some serious security concerns, notably the so-called chosen-prefix/secret-suffix (CPSS) generic attack [HRRV15], that shares some similarities with the BEAST attack =-=[DR11]-=-. Birthday and Beyond-Birthday Security. Another important shortcoming of most AE operating modes is that they provide only birthday-bound security with respect to the block length of the underlying p... |

8 | T.: Tweaks and keys for block ciphers: the TWEAKEY framework - Jean, Nikolić, et al. - 2014 |

8 | Reconsidering generic composition.
- Namprempre, Rogaway, et al.
- 2014
(Show Context)
Citation Context ...he TBC. The “effective” tweak length is what remains once 3 bits have been used to encode the prefix. 3 While SIV corresponds to generic composition method A4 in the nomenclature of Namprempre et al. =-=[NRS14]-=-, NSIV does not fit any of the NRS schemes. 4 This excludes for example a simple OCB-like encryption mode since it is only noncebased, not IV-based. 4 property that the counter is applied on the tweak... |

8 |
Sequence of Games: A Tool for Taming Complexity
- Shoup
(Show Context)
Citation Context .... It is easy to adapt the proof that H is xor-universal to show that H ′ is also xor-universal (hence, in particular, universal, which is all we need here). The remaining of the proof is now standard =-=[Sho04]-=-, and we only sketch it. We first replace P̃ 4,0 in EPWC[P̃ ] by a uniformly random function ρ : X → X , and denote EPWC′′[ρ, P̃ ] the resulting construction. By the PRP-PRF switching lemma, A can dis... |

6 | Domain extension for macs beyond the birthday barrier - Dodis, Steinberger - 2011 |

6 | Online authenticated-encryption and its nonce-reuse misuse-resistance. Cryptology ePrint Archive, Report 2015/189
- Hoang, Reyhanitabar, et al.
- 2015
(Show Context)
Citation Context ...ABL+13], or POET [AFF+14]. However, the interest in the OAE notion has been recently reduced by some serious security concerns, notably the so-called chosen-prefix/secret-suffix (CPSS) generic attack =-=[HRRV15]-=-, that shares some similarities with the BEAST attack [DR11]. Birthday and Beyond-Birthday Security. Another important shortcoming of most AE operating modes is that they provide only birthday-bound s... |

6 | Authenticated Encryption Mode for Beyond the Birthday Bound Security - Iwata - 2008 |

5 | A new variant of PMAC: beyond the birthday bound - Yasuda |

4 |
Collision Attacks on OCB. Unpublished manuscript, 2002. Available at http://www.cs.ucdavis.edu/~rogaway/ocb/fe02.pdf
- Ferguson
(Show Context)
Citation Context ... block ciphers, the situation is even more problematic). Moreover, this is rarely a problem with the tightness of the security proof: attacks matching the bound are often known. For example, Ferguson =-=[Fer02]-=- described a simple collision-based attack on OCB that breaks authenticity with 264 blocks of messages. Recently, some AE schemes providing security beyond the birthday bound (BBB) were proposed [Iwa0... |

4 | Gaëtan Leurent, François-Xavier Standaert, Kerem Varici, François Durvaux - Grosso - 2014 |

4 | Optimally Secure Tweakable Blockciphers - Mennink - 2015 |

4 | A proof of security in O(2n) for the Xor of two random permutations - Patarin - 2008 |

2 | Y.: GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Cryptology ePrint Archive, Report 2015/102
- Gueron, Lindell
- 2015
(Show Context)
Citation Context ...as the adversary can detect whether the same triple of nonce, AD and message values is repeated. Example of schemes achieving this security notion are EAX [BRW04], SIV [RS06], AEZ [HKR15], or GCM-SIV =-=[GL15]-=-. Because the 1 Similarly, the high-entropy requirement on the IV is hard to meet when no good randomness source is available. 2 MRAE notion cannot be achieved for an online scheme (since each bit of ... |

1 |
The Indistinguishability of the XOR of k Permutations
- Cogliati, Lampe, et al.
- 2014
(Show Context)
Citation Context ..., Theorem 5] showed that an information-theoretic adversary trying to distinguish FK from a random function ρ : {0, 1}n → {0, 1}n within q queries has an advantage upper bounded by q3/22n−1 (see also =-=[CLP14]-=-). Better bounds were proposed in three different papers: Bellare and Impagliazzo [BI99] proved that the advantage is upper bounded by O(n)(q/2n)1.5, while Patarin proved in two different ways [Pat08a... |

1 | Security in O(2n) for the Xor of Two Random Permutations—Proof with the standard H technique—. ePrint Archive, Report 2013/368, 2013. Available at http://eprint.iacr.org/2013/368 - Patarin |