Filters








58 Hits in 3.2 sec

Optimal Forgeries Against Polynomial-Based MACs and GCM [chapter]

Atul Luykx, Bart Preneel
2018 Lecture Notes in Computer Science  
We settle the issue by finding a novel attack against polynomial-based authentication algorithms using PRPs, and combine it with new analysis, to show that Bernstein's bound, and our attacks, are optimal  ...  Polynomial-based authentication algorithms, such as GCM and Poly1305, have seen widespread adoption in practice.  ...  The authors would like to thank Guy Barwell, Dan Bernstein, Bart Mennink, Scott Fluhrer, and the anonymous reviewers for their comments, as well as Mridul Nandi for pointing out an error in a previous  ... 
doi:10.1007/978-3-319-78381-9_17 fatcat:o3lwy47tqbaepkw74tdhezl65e

Close to Optimally Secure Variants of GCM

Ping Zhang, Hong-Gang Hu, Qian Yuan
2018 Security and Communication Networks  
Firstly, we introduce two close to optimally secure pseudorandom functions and derive their security bound by the hybrid technique.  ...  The Galois/Counter Mode of operation (GCM) is a widely used nonce-based authenticated encryption with associated data mode which provides the birthday-bound security in the nonce-respecting scenario; that  ...  Acknowledgments This work was supported by National Natural Science Foundation of China (Grant nos. 61522210 and 61632013).  ... 
doi:10.1155/2018/9715947 fatcat:qngykvv3bvenlniutpohb2mlte

The Security and Performance of the Galois/Counter Mode (GCM) of Operation [chapter]

David A. McGrew, John Viega
2004 Lecture Notes in Computer Science  
GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC.  ...  The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite  ...  attacks against AES-N -GCM that work with distinguishing advantage greater than A AES-N + q 2 2 −116 − q2 −89.4 , and there are no forgery attacks against AES-N -GCM that work with forgery advantage greater  ... 
doi:10.1007/978-3-540-30556-9_27 fatcat:2eou5v27kjfbnpe2ykfw7zjnae

Generic Attacks Against Beyond-Birthday-Bound MACs [chapter]

Gaëtan Leurent, Mridul Nandi, Ferdinand Sibleyras
2018 Lecture Notes in Computer Science  
Moreover, we give a variant of the attack against SUM-ECBC and GCM-SIV2 with time and data complexityÕ(2 6n/7 ).  ...  We show how to detect such quadruples in SUM-ECBC, PMAC+, 3kf9, GCM-SIV2 and their variants with O(2 3n/4 ) queries, and how to build a forgery attack with the same query complexity.  ...  We denote the concatenation of messages blocks x and y as x y. When x and y fit together in one block, we use x|y to denote their concatenation.  ... 
doi:10.1007/978-3-319-96884-1_11 fatcat:w2awuwcdc5g2nmlnxsbecplxay

Bernstein Bound on WCS is Tight [chapter]

Mridul Nandi
2018 Lecture Notes in Computer Science  
In Eurocrypt 2018, Luykx and Preneel described hash-keyrecovery and forgery attacks against polynomial hash based Wegman-Carter-Shoup (WCS) authenticators.  ...  We also extend the forgery adversary to the Galois Counter Mode (or GCM).  ...  Bose Center for Cryptology and Security.  ... 
doi:10.1007/978-3-319-96881-0_8 fatcat:gds2qrn4jfhonhqnybmlvubhva

Breaking Symmetric Cryptosystems Using Quantum Period Finding [chapter]

Marc Kaplan, Gaëtan Leurent, Anthony Leverrier, María Naya-Plasencia
2016 Lecture Notes in Computer Science  
First, we show that the most widely used modes of operation for authentication and authenticated encryption (e.g. CBC-MAC, PMAC, GMAC, GCM, and OCB) are completely broken in this security model.  ...  Our attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher.  ...  Acknowledgements We would like to thank Thomas Santoli and Christian Schaffner for sharing an early stage manuscript of their work [41] , Michele Mosca for discussions and LTCI for hospitality.  ... 
doi:10.1007/978-3-662-53008-5_8 fatcat:zmmqzo3tn5ggdnuo7axmpc4n2a

Breaking Symmetric Cryptosystems using Quantum Period Finding [article]

Marc Kaplan, Gaëtan Leurent, Anthony Leverrier, María Naya-Plasencia
2016 arXiv   pre-print
First, we show that the most widely used modes of operation for authentication and authenticated encryption e.g. CBC-MAC, PMAC, GMAC, GCM, and OCB) are completely broken in this security model.  ...  Our attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher.  ...  Acknowledgements We would like to thank Thomas Santoli and Christian Schaffner for sharing an early stage manuscript of their work [40] , Michele Mosca for discussions and LTCI for hospitality.  ... 
arXiv:1602.05973v3 fatcat:qmlnmfubvvhhzmsxmsku2qnjke

The BRUTUS automatic cryptanalytic framework

Markku-Juhani O. Saarinen
2015 Journal of Cryptographic Engineering  
For an implementor, this strategy appears to offer seemingly harmless and compliant storage and latency advantages.  ...  This report summarizes our results from security analysis covering all 57 competitions for authenticated encryption: security, applicability, and robustness (CAE-SAR) first-round candidates and over 210  ...  Theorem 1 AES-GCM is not vulnerable to adaptive-chosenplaintext attacks. Proof The Galois/counter mode has an essentially independent counter mode and a polynomial-based authentication mechanism.  ... 
doi:10.1007/s13389-015-0114-1 fatcat:nubvjj5p65ac5emvq3tdtfukg4

Faster Binary-Field Multiplication and Faster Binary-Field MACs [chapter]

Daniel J. Bernstein, Tung Chou
2014 Lecture Notes in Computer Science  
This performance relies on a new representation of field elements and new FFT-based multiplication techniques.  ...  almost as fast as state-of-the-art 128-bit prime-field MACs using Intel's integermultiplication hardware (around 1 cycle/byte).  ...  New Speeds for Binary-Field MACs This paper introduces Auth256, an F 2 256 -based MAC at a 2 255 security level; and a constant-time software implementation of Auth256 running at just 1.89 cycles/byte  ... 
doi:10.1007/978-3-319-13051-4_6 fatcat:l3qytia6b5cvdlcl757p7qxvoe

The Software Performance of Authenticated-Encryption Modes [chapter]

Ted Krovetz, Phillip Rogaway
2011 Lecture Notes in Computer Science  
Our findings contrast with those of McGrew and Viega (2004) , who claimed similar performance for GCM and OCB.  ...  Still we find room for algorithmic improvements to OCB, showing how to trim one blockcipher call (most of the time, assuming a counter-based nonce) and reduce latency.  ...  Acknowledgments Phil Rogaway had interesting discussions with Tariq Ahmad (University of Massachusetts) on hardware aspects of GCM and OCB3. The authors appreciate the support of NSF CNS 0904380.  ... 
doi:10.1007/978-3-642-21702-9_18 fatcat:rxh5ghghgjhx3hlzxk4bojbhty

MAC Precomputation with Applications to Secure Memory

Juan A. Garay, Vladimir Kolesnikov, Rae Mclellan
2016 ACM Transactions on Privacy and Security  
One of the most celebrated MAC schemes, and also one that naturally allows precomputation, was proposed by Wegman and Carter [37] .  ...  Extending the authors' previous work on UHF families, in [37] they introduced the notion of SU hash families, and showed that M AC k,r (m) = H k (m) ⊕ r is an unconditionally secure MAC, where H is an  ...  Their idea is to use a highly efficient CRC (CRC8 or CRC32) as the MAC of memory block m, and to encrypt stored data by XORing it with a one-time pad (OTP).  ... 
doi:10.1145/2943780 fatcat:bakr4m3wzvhwxcqjbm42ppqitm

MAC Precomputation with Applications to Secure Memory [chapter]

Juan Garay, Vladimir Kolesnikov, Rae McLellan
2009 Lecture Notes in Computer Science  
One of the most celebrated MAC schemes, and also one that naturally allows precomputation, was proposed by Wegman and Carter [37] .  ...  Extending the authors' previous work on UHF families, in [37] they introduced the notion of SU hash families, and showed that M AC k,r (m) = H k (m) ⊕ r is an unconditionally secure MAC, where H is an  ...  Their idea is to use a highly efficient CRC (CRC8 or CRC32) as the MAC of memory block m, and to encrypt stored data by XORing it with a one-time pad (OTP).  ... 
doi:10.1007/978-3-642-04474-8_34 fatcat:u2nmk3mwbrfmlnzidwcxatvqq4

Boosting Authenticated Encryption Robustness with Minimal Modifications [chapter]

Tomer Ashur, Orr Dunkelman, Atul Luykx
2017 Lecture Notes in Computer Science  
: ChaCha20+Poly1305 already improves over GCM in how it authenticates, GCM-SIV uses GCM's underlying components to provide nonce misuse resistance, and TLS1.3 introduces a randomized nonce in order to  ...  We continue this line of work by looking more closely at GCM and ChaCha20+Poly1305 to see what robustness they already provide over algorithms such as OCB, and whether minor variants of the algorithms  ...  The authors would like to thank Günes Acar, Roger Dingledine, Ian Goldberg, Mark Juarez, Bart Mennink, and Vincent Rijmen, as well as the anonymous reviewers.  ... 
doi:10.1007/978-3-319-63697-9_1 fatcat:qaix7jnghzhjdd3ljnwjkst7ze

GCM-SIV

Shay Gueron, Yehuda Lindell
2015 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15  
In this paper, we present a new fully nonce misuse-resistant authenticated encryption scheme that is based on carefully combining the GCM building blocks into the SIV paradigm of Rogaway and Shrimpton.  ...  We compare our performance to the highly optimized OpenSSL 1.0.2 implementation of GCM and show that our nonce misuse-resistant scheme is only 14% slower on Haswell architecture and 19% slower on Broadwell  ...  forgeries as it wishes in the future.  ... 
doi:10.1145/2810103.2813613 dblp:conf/ccs/GueronL15 fatcat:xkjkorptffc7dpkw4fbzzfwpve

Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications [chapter]

Peng Wang, Yuling Li, Liting Zhang, Kaiyan Zheng
2016 Lecture Notes in Computer Science  
Not every UHF-based scheme suffers related-key attacks. GCM [37] is an example. GCM has only one key which is also the key of the underlying block cipher.  ...  It is easy to see that F is RKA-AU (RKA-AXU) for the RKD set Φ⊕ if and only if F ′ is AU (AXU). All the constructions are based on the polynomial evaluation function P oly.  ... 
doi:10.1007/978-3-662-52993-5_26 fatcat:z4gshlyjyzfohbj2cg5t3njiua
« Previous Showing results 1 — 15 out of 58 results