基於錯誤傳遞之認證加密演算法設計

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：24

、訪客IP：18.221.98.71

姓名

江卓軒(Cho-hsuan Chiang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

基於錯誤傳遞之認證加密演算法設計
(The Design of Authenticated Encryption Scheme Base on Error-Propagation)

相關論文

★ 多種數位代理簽章之設計	★ 小額電子支付系統之研究
★ 實體密碼攻擊法之研究	★ 商業性金鑰恢復與金鑰託管機制之研究
★ AES資料加密標準之實體密碼分析研究	★ 電子競標系統之研究
★ 針對堆疊滿溢攻擊之動態程式區段保護機制	★ 通用型數域篩選因數分解法之參數探討
★ 於8051單晶片上實作可防禦DPA攻擊之AES加密器	★ 以非確定式軟體與遮罩分割對策防禦能量攻擊之研究
★ 遮罩保護機制防禦差分能量攻擊之研究	★ AES資料加密標準之能量密碼分析研究
★ 小額電子付費系統之設計與密碼分析	★ 公平電子現金系統之研究
★ RSA公開金鑰系統之實體密碼分析研究	★ 保護行動代理人所收集資料之研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

認證加密演算法(Authenticated Encryption, AE)為一種網路通訊安全機制，此
機制可同時提供訊息機密性、資料完整性以及來源認證性。傳統之認證加密演算
法由對稱式加密系統以及訊息認證碼(Message authentication Code, MAC)結合產
生，此種兩回合式認證加密演算法(2-pass AE)產生之運算負擔約兩倍於單純使用
加密演算法之系統。
近期之認證加密演算法於效能上有兩種改良方向，首先是使用檢查碼
(Checksum)作為額外輸入確保完整性之單回合式認證加密演算法(single-pass AE)，
此類型演算法之運算量低但必須等待解密運算執行後才可進行完整性檢驗。另一
種為加速兩回合式認證加密演算法完整性檢驗步驟之演算法，目前此類型之演算
法雖然保有預先檢驗完整性之特性，但於效能上之改良有限，並無法與前者比擬。
本論文基於錯誤擴散之概念提出兩種不同類型的認證加密演算法。首先是以
Cipher-Block-Chaining mode of operation (CBC)作為基礎設計的單回合式認證加
密演算法Double-Block-Chaining AE (DBC)，DBC 具有實作上之優勢以及在區塊
加密演算法中獨有之特性：反向解密和只需實作加密演算法。在加強的版本中，
我們還為其提供了預先檢驗部分完整性以及認證關聯資料的能力。本論文另外提
出了一個完整性檢驗機制，S-box chaining (SC)。除了具備實作容易的特性，與
CBC 結合後再輔以隱藏部分資訊之手段便成為一計算成本低之兩回合式認證加
密演算法，SC-CBC。

摘要(英)

Con dentiality, integrity and authenticity are basic requirements for ensuring secure com-
munication over internet. Those requirements are separately provided by mode of operations,
such as Cipher-Block-Chaining mode of operation (CBC) and Counter mode of operation
(CTR), and message authentication code (MAC) at rst. Since the combination of mode of
operation and MAC, including Encrypt-then-MAC (EtM), MAC-then-Encrypt (MtE) and
Encrypt-and-MAC (E&M), almost doubled the computational cost, cryptographers work on
designing a more ecient scheme called Authenticated Encryption (AE)" recently.
Over past thirty years, many di erent kinds of authenticated encryption scheme were pro-
posed. Most of them use Check Vector (CV)" or MAC together with mode of operations to
additionally provide integrity and authenticity. Cryptographers classi ed the authenticated
encryption schemes into two categories:
First is improving the combination of mode of operation and MAC, such as Counter-
with-CBC-MAC mode (CCM)", Encrypt-then-Authenticate-then-Translate mode (EAX)"
and Carter-Wegman-with-CTR mode (CWC)". Above schemes also called Two-pass Au-
thenticated Encryption Scheme (2-pass AE)" because it needs to go through message twice.
Two-pass AE not only meet all the requirements for securing communication but also slightly
decrease the computational cost when comparing to naive methods. Currently, researchers
attempt to improve the authentication modes inside 2-pass AE algorithm to achieve better
performance. Galois/Counter Mode of operation (GCM)" proposed by McGrew claimed
to provide a low latency and low computational cost AE scheme from implementation aspect.
Second is merging the privacy and authenticity modes into one scheme, which also called
single-pass AE". Single-pass AE has speed advantage on providing integrity because they
applied check vector and checksum as underlying authentication mechanism, which only
require communications and simple operations. Nevertheless, some of redundancies are pre-
computable. However, there is a disadvantage that receiver must do decryption algorithm
rst, or he will not capable to check for the integrity. Such algorithm will waste computa-
tional resources if any error occurred during transmission.
In this thesis, we are going to propose two di erent kinds of authenticated encryption
scheme using concept of error-propagation. First we construct a single-pass AE which use
CBC mode as backbone, called Double-Block-Chaining (DBC)". DBC has implementation
advantages and several special properties such as ackward decryption" andencryption
algorithm only". In enhanced version, we design a novel approach to partially pre-check
the integrity for DBC. Nevertheless, the associated-data (AD) is also authenticated in our
Enhanced-DBC AE scheme. Second, we proposed an integrity checking mechanism, named
S-Box chaining integrity checking mechanism(SC)". Despite its speed advantage, S-Box
chaining" is easy to implement and after we combined it with CBC mode which turns out
an simple and ecient two-pass AE, called S-Box Chaining CBC".

關鍵字(中)

★ 認證加密演算法
★ 密碼學
★ 區塊加密
★ 完整性檢查

關鍵字(英)

★ Authenticated Encryption
★ Cryptography
★ Block cipher algorithm
★ Integrity checking

論文目次

1 Introduction 1
1.1 Background and Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Our Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Overview of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Preliminary 5
2.1 Models of Authenticated Encryption Scheme . . . . . . . . . . . . . . . . . . 5
2.2 Requirements of Authenticated Encryption . . . . . . . . . . . . . . . . . . . 8
3 Related Work 10
3.1 Mode of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.1 Well-known Mode of Operation . . . . . . . . . . . . . . . . . . . . . 10
3.2 Authenticated Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2.1 Counter with CBC-MAC (CCM) AE . . . . . . . . . . . . . . . . . . 11
3.2.2 O set Code Book (OCB) AE . . . . . . . . . . . . . . . . . . . . . . 12
3.2.3 Galois Counter Mode (GCM) AE . . . . . . . . . . . . . . . . . . . . 13
4 Enhanced Double Block Chaining AE scheme 16
4.1 Double Block Chaining (DBC) AE scheme . . . . . . . . . . . . . . . . . . . 17
4.1.1 Basic Concept and Requirements . . . . . . . . . . . . . . . . . . . . 17
4.1.2 Algorithm of DBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.1.3 DBC Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.1.4 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2 Enhanced DBC AE Scheme (EDBC) . . . . . . . . . . . . . . . . . . . . . . 24
4.2.1 Concept of EDBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.2.2 Partial Pre-Checking Mechanism for EDBC . . . . . . . . . . . . . . 24
4.2.3 EDBC with Associated Data . . . . . . . . . . . . . . . . . . . . . . . 26
4.2.4 Contributions of EDBC . . . . . . . . . . . . . . . . . . . . . . . . . 27
5 S-Box Chaining with CBC mode AE Scheme 28
5.1 S-Box Chaining (SC) Integrity Checking Mechanism . . . . . . . . . . . . . . 29
5.1.1 Ecient Computation of Y i
j and Zi
j . . . . . . . . . . . . . . . . . . . 30
5.1.2 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.1.3 Error Propagation Mechanism . . . . . . . . . . . . . . . . . . . . . . 31
5.1.4 The Characteristic of Exclusive-or Operation . . . . . . . . . . . . . . 31
5.1.5 The Window Size for S-Box Chaining Integrity Checking Mechanism 32
5.2 SC with CBC mode AE Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.2.1 Security Consideration . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5.2.2 Performance Analysis and Applications . . . . . . . . . . . . . . . . . 38
6 Conclusion and Future Work 40
6.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Bibliography 42

參考文獻

[1] M. Bellare, P. Rogaway, D. Wagner. The EAX Mode of Operation: A Two-pass
Authenticated-Encryption Scheme Optimized for Simplicity and Eciency," Fast Soft-
ware Encryption 2004, pp.389-407, 2004.
[2] S. Frankel, S. Krishnan, IP Security (IPsec) and Internet Key Exchange (IKE)
Document Roadmap," RFC 6071 : http://www.hjp.at/doc/rfc/rfc6071.html, 2011.
[3] V. Gligor, P. Donescu, Fast Encryption and Authentication: XCBC Encryption and
XECB Authentication Modes," Fast Software Encryption 2001, pp.92-108, 2001.
[4] C. Jutla, Encryption Modes with Almost Free Message Integrity," EUROCRYPT2001,
pp.529-544, 2001.
[5] C. Jutla, Parallelizable Encryption Mode with Almost Free Message Integrity," Con-
tribution to NIST : http://csrc.nist.g-ov/groups/ST/toolkit/BCM/documents/iapm-
spec.pdf, 2000.
[6] T. Krovetz, P. Rogaway, The Software Performance of Authenticated-Encryption
Modes," Fast Software Encryption 2011, pp.306-327, 2011.
[7] P. K. Kaushal, R. Sobti, G. Geetha, Random Key Chaining (RKC): AES Mode of
Operation." International Journal of Applied Information Systems, vol. 1, pp.39-45,
2012.
[8] T. Kohno, J. Viega, D. Whiting, CWC: A High-Performance Conventional Authenti-
cated Encryption Mode," Fast Software Encryption 2004, pp.408-426, 2004.
[9] C.J. Mitchell,Analysing the IOBC Authenticated Encryption Mode," Information Se-
curity and Privacy, Springer Berlin Heidelberg. pp.1-12, 2013.
[10] C.J. Mitchell, Cryptanalysis of the EPBC Authenticated Encryption Mode," Cryptog-
raphy and Coding, Springer Berlin Heidelberg, pp.118-128, 2007.
[11] D. McGrew, W. Feghali, P. Ho man, Cryptographic Algorithm Implementation
Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and
Authentication Header (AH)," Internet Engineering Task Force(IETF) Internet Draft: http://tools.ietf.org/html/draft-ietf-ipsecme-esp-ah-reqts-02, 2013.
[12] D. McGrew, J. Viega, The Galois/Counter Mode of Operation (GCM)," Submission
to NIST : http://eprint.iacr.org/2004/193.pdf, 2000.
[13] P. Rogaway, Ecient Instantiations of Tweakable Blockciphers and Re nements to
Modes OCB and PMAC," ASIACRYPT 2004, LNCS vol. 3329, Springer, pp.16-31,
2004.
[14] F. Recacha, IOC: The Most Lightweight Authenticated Encryption Mode?,"
Submission to NIST : http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/
proposedmodes/ioc/iocspec.pdf, 2013.
[15] P. Rogaway, M. Bellare, J. Black, OCB: A Block-Cipher Mode of Operation for Ecient
Authenticated Encryption," ACM Transactions on Information and System Security
(TISSEC), Vol. 6, no. 3, pp.365-403. 2003.
[16] R.C. Schroeppel, W.E. Anderson, C.L. Beaver, T.J. Draelos, M.D. Torger-
son. Cipher-state (CS) Mode of Operation for AES," Submission to NIST :
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/cs/cs-
spec.pdf, 2004.
[17] D. Whiting, N. Ferguson, R. Housley, Counter with CBC-MAC (CCM)," Sub-
mission to NIST : http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/pr-
oposedmodes/ccm/ccm.pdf, 2002.

指導教授

顏嵩銘(Sung-ming Yen)

審核日期

2014-7-25

推文