APE(X): Authenticated Permutation-Based Encryption with Extended - - PowerPoint PPT Presentation

APE(X): Authenticated Permutation-Based Encryption with Extended Misuse Resistance

Atul Luykx

COSIC, KU Leuven

August 14, 2013 Joint work with A. Bogdanov, E. Andreeva, B. Mennink, N. Mouha, K. Yasuda

1 / 16

Stateless, Deterministic Encryption

E(M1) = C1 E(M2) = C2 M1 = M2 ⇒ C1 = C2

2 / 16

Nonces

E(N1, M1) = C1 E(N2, M2) = C2 N1 = N2 and M1 = M2 ⇒ C1 = C2

3 / 16

Nonce Repetition

Nonce repeated? Usually no security guarantees. Misuse Resistance.

4 / 16

Some AE Schemes

Nonce-dependent Misuse Resistant Block Cipher IAPM ‘01, OCB ‘01 SIV ‘06 XECB ‘01, CCM ‘01 BTM ‘09 GCM ‘04 McOE-G ‘11 Permutation SpongeWrap ‘11

5 / 16

Some AE Schemes

Nonce-dependent Misuse Resistant Block Cipher IAPM ‘01, OCB ‘01 SIV ‘06 XECB ‘01, CCM ‘01 BTM ‘09 GCM ‘04 McOE-G ‘11 Permutation SpongeWrap ‘11 APE

5 / 16

APE

p p p p 1

+ + + +

M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4] T

+

K

+

K

6 / 16

APE - Associated Data

p p p p 0r K IVr IVc

+ + + +

A[1] A[2] A[3] A[4]

7 / 16

APE - Decryption

p−1 p−1 p−1 p−1

K?

+

1

M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4]

+ + +

T

+

K

8 / 16

Properties

1 Proof with ideal permutation (sponge) 2 Tag cannot be truncated 3 Suited for lightweight 4 Online?

9 / 16

Online

M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4]

10 / 16

McOE

• EK
• EK
• EK
• EK

V M[1] M[2] τ τ C[1] C[2] T

+ + + 11 / 16

McOE - Decryption

• EK
• E −1

K

• E −1

K

• EK

V C[1] C[2] τ τ M[1] M[2] T

+ + + 12 / 16

Extra Misuse Resistance

p−1 p−1 p−1 p−1

K?

+

1

M[1] M[2] M[3] M[4] C[1] C[2] C[3] C[4]

+ + +

T

+

K

13 / 16

APEX

p p p p 1

+ + + +

M[1] M[2] M[3] M[4] C[1] C[2] C[3]

+

K

+

K C C[1] ⊕ C[2] ⊕ C[3]

14 / 16

Conclusions and Future Work

Future work:

1 Reducing key size 2 Designing a permutation with efficient inverse 3 Ideal model versus standard model 4 How to deal with nonces: public message

number versus secret message number

15 / 16

Thank you for your attention.

16 / 16