摘要(英) |
Con dentiality, integrity and authenticity are basic requirements for ensuring secure com-
munication over internet. Those requirements are separately provided by mode of operations,
such as Cipher-Block-Chaining mode of operation (CBC) and Counter mode of operation
(CTR), and message authentication code (MAC) at rst. Since the combination of mode of
operation and MAC, including Encrypt-then-MAC (EtM), MAC-then-Encrypt (MtE) and
Encrypt-and-MAC (E&M), almost doubled the computational cost, cryptographers work on
designing a more ecient scheme called Authenticated Encryption (AE)" recently.
Over past thirty years, many di erent kinds of authenticated encryption scheme were pro-
posed. Most of them use Check Vector (CV)" or MAC together with mode of operations to
additionally provide integrity and authenticity. Cryptographers classi ed the authenticated
encryption schemes into two categories:
First is improving the combination of mode of operation and MAC, such as Counter-
with-CBC-MAC mode (CCM)", Encrypt-then-Authenticate-then-Translate mode (EAX)"
and Carter-Wegman-with-CTR mode (CWC)". Above schemes also called Two-pass Au-
thenticated Encryption Scheme (2-pass AE)" because it needs to go through message twice.
Two-pass AE not only meet all the requirements for securing communication but also slightly
decrease the computational cost when comparing to naive methods. Currently, researchers
attempt to improve the authentication modes inside 2-pass AE algorithm to achieve better
performance. Galois/Counter Mode of operation (GCM)" proposed by McGrew claimed
to provide a low latency and low computational cost AE scheme from implementation aspect.
Second is merging the privacy and authenticity modes into one scheme, which also called
single-pass AE". Single-pass AE has speed advantage on providing integrity because they
applied check vector and checksum as underlying authentication mechanism, which only
require communications and simple operations. Nevertheless, some of redundancies are pre-
computable. However, there is a disadvantage that receiver must do decryption algorithm
rst, or he will not capable to check for the integrity. Such algorithm will waste computa-
tional resources if any error occurred during transmission.
In this thesis, we are going to propose two di erent kinds of authenticated encryption
scheme using concept of error-propagation. First we construct a single-pass AE which use
CBC mode as backbone, called Double-Block-Chaining (DBC)". DBC has implementation
advantages and several special properties such as ackward decryption" andencryption
algorithm only". In enhanced version, we design a novel approach to partially pre-check
the integrity for DBC. Nevertheless, the associated-data (AD) is also authenticated in our
Enhanced-DBC AE scheme. Second, we proposed an integrity checking mechanism, named
S-Box chaining integrity checking mechanism(SC)". Despite its speed advantage, S-Box
chaining" is easy to implement and after we combined it with CBC mode which turns out
an simple and ecient two-pass AE, called S-Box Chaining CBC". |
參考文獻 |
[1] M. Bellare, P. Rogaway, D. Wagner. The EAX Mode of Operation: A Two-pass
Authenticated-Encryption Scheme Optimized for Simplicity and Eciency," Fast Soft-
ware Encryption 2004, pp.389-407, 2004.
[2] S. Frankel, S. Krishnan, IP Security (IPsec) and Internet Key Exchange (IKE)
Document Roadmap," RFC 6071 : http://www.hjp.at/doc/rfc/rfc6071.html, 2011.
[3] V. Gligor, P. Donescu, Fast Encryption and Authentication: XCBC Encryption and
XECB Authentication Modes," Fast Software Encryption 2001, pp.92-108, 2001.
[4] C. Jutla, Encryption Modes with Almost Free Message Integrity," EUROCRYPT2001,
pp.529-544, 2001.
[5] C. Jutla, Parallelizable Encryption Mode with Almost Free Message Integrity," Con-
tribution to NIST : http://csrc.nist.g-ov/groups/ST/toolkit/BCM/documents/iapm-
spec.pdf, 2000.
[6] T. Krovetz, P. Rogaway, The Software Performance of Authenticated-Encryption
Modes," Fast Software Encryption 2011, pp.306-327, 2011.
[7] P. K. Kaushal, R. Sobti, G. Geetha, Random Key Chaining (RKC): AES Mode of
Operation." International Journal of Applied Information Systems, vol. 1, pp.39-45,
2012.
[8] T. Kohno, J. Viega, D. Whiting, CWC: A High-Performance Conventional Authenti-
cated Encryption Mode," Fast Software Encryption 2004, pp.408-426, 2004.
[9] C.J. Mitchell,Analysing the IOBC Authenticated Encryption Mode," Information Se-
curity and Privacy, Springer Berlin Heidelberg. pp.1-12, 2013.
[10] C.J. Mitchell, Cryptanalysis of the EPBC Authenticated Encryption Mode," Cryptog-
raphy and Coding, Springer Berlin Heidelberg, pp.118-128, 2007.
[11] D. McGrew, W. Feghali, P. Ho man, Cryptographic Algorithm Implementation
Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and
Authentication Header (AH)," Internet Engineering Task Force(IETF) Internet Draft: http://tools.ietf.org/html/draft-ietf-ipsecme-esp-ah-reqts-02, 2013.
[12] D. McGrew, J. Viega, The Galois/Counter Mode of Operation (GCM)," Submission
to NIST : http://eprint.iacr.org/2004/193.pdf, 2000.
[13] P. Rogaway, Ecient Instantiations of Tweakable Blockciphers and Re nements to
Modes OCB and PMAC," ASIACRYPT 2004, LNCS vol. 3329, Springer, pp.16-31,
2004.
[14] F. Recacha, IOC: The Most Lightweight Authenticated Encryption Mode?,"
Submission to NIST : http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/
proposedmodes/ioc/iocspec.pdf, 2013.
[15] P. Rogaway, M. Bellare, J. Black, OCB: A Block-Cipher Mode of Operation for Ecient
Authenticated Encryption," ACM Transactions on Information and System Security
(TISSEC), Vol. 6, no. 3, pp.365-403. 2003.
[16] R.C. Schroeppel, W.E. Anderson, C.L. Beaver, T.J. Draelos, M.D. Torger-
son. Cipher-state (CS) Mode of Operation for AES," Submission to NIST :
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/cs/cs-
spec.pdf, 2004.
[17] D. Whiting, N. Ferguson, R. Housley, Counter with CBC-MAC (CCM)," Sub-
mission to NIST : http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/pr-
oposedmodes/ccm/ccm.pdf, 2002.
|