Re: [Cfrg] new authenticated encryption draft
"Tom Shrimpton" <teshrim@cs.pdx.edu> Wed, 20 September 2006 08:17 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPxH4-0003qK-7C; Wed, 20 Sep 2006 04:17:42 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPxH3-0003qC-4s for cfrg@ietf.org; Wed, 20 Sep 2006 04:17:41 -0400
Received: from ehlo.cat.pdx.edu ([131.252.208.106]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GPxH0-00006A-OL for cfrg@ietf.org; Wed, 20 Sep 2006 04:17:41 -0400
Received: from galois (galois.cs.pdx.edu [131.252.213.36]) by ehlo.cat.pdx.edu (8.13.5/8.13.5/Debian-3ubuntu1.1) with ESMTP id k8K8HTAi024536 for <cfrg@ietf.org>; Wed, 20 Sep 2006 01:17:34 -0700
From: Tom Shrimpton <teshrim@cs.pdx.edu>
To: cfrg@ietf.org
Subject: Re: [Cfrg] new authenticated encryption draft
Date: Wed, 20 Sep 2006 01:17:14 -0700
Message-ID: <007401c6dc8d$33d42b40$24d5fc83@galois>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcbcjS1uP+LyTokCQBKicxIj5RWo2g==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (ehlo.cat.pdx.edu [131.252.208.106]); Wed, 20 Sep 2006 01:17:34 -0700 (PDT)
X-Spam-Status: No, score=-2.4 required=6.0 tests=ALL_TRUSTED,L_PDX autolearn=failed version=3.1.3
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on ehlo.cat.pdx.edu
X-Virus-Scanned: ClamAV 0.88.2/1909/Tue Sep 19 19:58:44 2006 on ehlo.cat.pdx.edu
X-Virus-Status: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Dear CFRG readers, At the risk of seeming like a shameless self-promoter, might I direct your attention to my paper with Phil Rogaway "A Provable-Security Treatment of the Key-Wrap Problem", which appeared at Eurocrypt this year? In retrospect, the title was perhaps poorly chosen: the initial motivation for the work was to analyze the NIST/ANS X9.102 proposed key-wrapping algorithms, but the main point of the paper is a formal study of deterministic authenticated encryption. The most recent version of the paper, and the specification for our associated Synthetic IV (SIV) blockcipher mode of operation, are available at http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.html. I've included an abstract, below. Cheers, -Tom ---------------------- (June-December 2006) (Permanently) Thomas Shrimpton Thomas Shrimpton LACAL/IC Dept. of Computer Science EPFL Portland State University Lausanne, Switzerland Portland, OR USA +41.021.693.6685 +1.503.725.5392 teshrim@cs.pdx.edu www.cs.pdx.edu/~teshrim Abstract: Standards bodies have been addressing the key-wrap problem, a cryptographic goal that has never received a provable-security treatment. In response, we provide one, giving definitions, constructions, and proofs. We suggest that key-wrap's goal is security in the sense of deterministic authenticated-encryption (DAE), a notion that we put forward. We also provide an alternative notion, a pseudorandom injection (PRI), which we prove to be equivalent. We provide a DAE construction, SIV, analyze its concrete security, develop a blockcipher-based instantiation of it, and suggest that the method makes a desirable alternative to the schemes of the X9.102 draft standard. The construction incorporates a method to turn a PRF that operates on a string into an equally efficient PRF that operates on a vector of strings, a problem of independent interest. Finally, we consider IV-based authenticated-encryption (AE) schemes that are maximally forgiving of repeated IVs, a goal we formalize as misuse-resistant AE. We show that a DAE scheme with a vector-valued header, such as SIV, directly realizes this goal. _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft Greg Rose
- Re: [Cfrg] new authenticated encryption draft Ted Krovetz
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Scott Fluhrer
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- RE: [Cfrg] new authenticated encryption draft Santosh Chokhani
- Re: [Cfrg] new authenticated encryption draft Ken Raeburn
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- RE: [Cfrg] new authenticated encryption draft Blumenthal, Uri
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Doug Whiting
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- RE: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft Phillip Rogaway
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- [Cfrg] AES-based key derivation David McGrew