Tuesday, August 13, 2013

DIAC 2013: Directions in Authenticated Ciphers

This week sees the second workshop on Directions in Authenticated Ciphers (DIAC) in Chicago. The workshop has a focus towards the CAESAR competition to design a new authenticated encryption (AE) scheme. We started on Sunday evening with a slightly wet but enjoyable boat cruise before dinner in a local Asian restaurant. The technical talks began on Monday morning, the first given by Atul Luykx. He presented a new permutation based AE mode named APE. Their aim when designing this mode was to achieve additional misuse-resistance goals. Such misuse-resistant modes have not previously been based on permutations but instead used a block cipher as the underlying primitive.

After lunch Kenny Paterson gave the invited talk on AE modes used in TLS. In his talk he spoke about a number of attacks on TLS, concentrating on two of his own recent attacks. Firstly the Lucky 13 attack which was published at IEEE S&P earlier this year. This attack exploits the use of CBC mode, a 13-byte header, the MAC-encode-encrypt construction and the timing difference between the different MAC checks performed for the two situations of valid and invalid padding (due to an extra compression function calculation). Secondly he briefly described new work on RC4 where they determined all the statistical biases within the keystream and how to utilise these to perform an attack on TLS. This work will be presented later this week at USENIX Security.

During the rest of the afternoon there were a further five talks. The final presentation was given by Begul Bilgin. This talk introduced a new AE scheme called FIDES (named after the goddess of trust) which was designed for use in constrained environments. Due to its online, single-pass structure it has certain efficiency advantages and uses a much smaller number of gates compared to other lightweight schemes such as Hummingbird and Grain. The construction uses a sponge-like structure and comes in versions with either a 80-bit or 96-bit key. The day was concluded with a meal at a nearby Greek restaurant.

On Tuesday there were five talks. The third was given by Shay Gueron who spoke about the software performance of AES-GCM. The purpose of this talk was to give a baseline with which entrants to the CAESAR competition can be compared. The current best implementations of GCM use Intel's AES-NI instruction set and PCLMULQDQ (used to speed up binary field computations needed for GHASH). At the moment speeds are limited by the GHASH calculation with this accounting for 70% of the computation time on Sandy Bridge and Ivy Bridge processors and 40% on Haswell processors.  In summary Gueron felt the target schemes entered to the CAESAR competition should aim to achieve is performance of below 1 cycle per byte.

The final presentation of the workshop was a special "bonus" talk given by Phil Rogaway. Here he argued that the generic compositions of Encrypt&MAC, MAC-then-Encrypt and Encrypt-then-MAC proved by Bellare and Namprempre (BN) should not be the full story of how we now view and study AE. When we think of AE we may consider nonce and IV-based schemes; the work of BN only considers probabilistic schemes. In addition it is now common knowledge that incorporating associated data into our design and analysis is important. This then leads to looking at various other ways of combining primitives to achieve AE. Take nonce-based encryption and a MAC; here the three compositions E&M, EtM and MtE can now all be used to obtain a secure nonce-based AE but with a small caveat; only if encryption is the inverse of decryption (this would require a change to the current definition of nonce-based encryption). Next take an IV-based encryption scheme and combine it with a (single or multi-input) MAC to obtain a nonce-based AE scheme. Rogaway stated that in this situation there are a total of six secure constructions with a seventh method with which they are (as yet) unsure if security is obtained. Examples of current modes fitting in these compositions are EAX and SIV. Finally he discussed whether providing a direct construction from a permutation to a nonce-based AE is actually any better than a construction going via other primitives such as a block cipher.

No comments:

Post a Comment