IETF Logo Mail Archive

Re: [Cfrg] new authenticated encryption draft

"Tom Shrimpton" <teshrim@cs.pdx.edu> Wed, 20 September 2006 08:17 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPxH4-0003qK-7C; Wed, 20 Sep 2006 04:17:42 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPxH3-0003qC-4s for cfrg@ietf.org; Wed, 20 Sep 2006 04:17:41 -0400
Received: from ehlo.cat.pdx.edu ([131.252.208.106]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GPxH0-00006A-OL for cfrg@ietf.org; Wed, 20 Sep 2006 04:17:41 -0400
Received: from galois (galois.cs.pdx.edu [131.252.213.36]) by ehlo.cat.pdx.edu (8.13.5/8.13.5/Debian-3ubuntu1.1) with ESMTP id k8K8HTAi024536 for <cfrg@ietf.org>; Wed, 20 Sep 2006 01:17:34 -0700
From: Tom Shrimpton <teshrim@cs.pdx.edu>
To: cfrg@ietf.org
Subject: Re: [Cfrg] new authenticated encryption draft
Date: Wed, 20 Sep 2006 01:17:14 -0700
Message-ID: <007401c6dc8d$33d42b40$24d5fc83@galois>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcbcjS1uP+LyTokCQBKicxIj5RWo2g==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (ehlo.cat.pdx.edu [131.252.208.106]); Wed, 20 Sep 2006 01:17:34 -0700 (PDT)
X-Spam-Status: No, score=-2.4 required=6.0 tests=ALL_TRUSTED,L_PDX autolearn=failed version=3.1.3
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on ehlo.cat.pdx.edu
X-Virus-Scanned: ClamAV 0.88.2/1909/Tue Sep 19 19:58:44 2006 on ehlo.cat.pdx.edu
X-Virus-Status: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org

Dear CFRG readers,

 At the risk of seeming like a shameless self-promoter, 
 might I direct your attention to my paper with Phil Rogaway 
 "A Provable-Security Treatment of the Key-Wrap Problem", 
 which appeared at Eurocrypt this year?  In retrospect, 
 the title was perhaps poorly chosen: the initial motivation 
 for the work was to analyze the NIST/ANS X9.102 proposed 
 key-wrapping algorithms, but the main point of the paper 
 is a formal study of deterministic authenticated encryption.
 The most recent version of the paper, and the specification
 for our associated Synthetic IV (SIV) blockcipher mode of operation, 
 are available at http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.html.
 I've included an abstract, below.

Cheers,
-Tom

----------------------

(June-December 2006)        (Permanently)              
Thomas Shrimpton            Thomas Shrimpton
LACAL/IC                    Dept. of Computer Science
EPFL                        Portland State University
Lausanne, Switzerland       Portland, OR USA
+41.021.693.6685            +1.503.725.5392
                            teshrim@cs.pdx.edu
                            www.cs.pdx.edu/~teshrim



Abstract:
Standards bodies have been addressing the key-wrap problem, 
a cryptographic goal that has never received a provable-security treatment. 
In response, we provide one, giving definitions, constructions, and proofs. 
We suggest that key-wrap's goal is security in the sense of deterministic
authenticated-encryption (DAE), a notion that we put forward. 
We also provide an alternative notion, a pseudorandom injection (PRI), 
which we prove to be equivalent. We provide a DAE construction, SIV, 
analyze its concrete security, develop a blockcipher-based instantiation of it, 
and suggest that the method makes a desirable alternative to the schemes 
of the X9.102 draft standard. The construction incorporates a method 
to turn a PRF that operates on a string into an equally efficient PRF 
that operates on a vector of strings, a problem of independent interest. 
Finally, we consider IV-based authenticated-encryption (AE) schemes 
that are maximally forgiving of repeated IVs, a goal we formalize as 
misuse-resistant AE. We show that a DAE scheme with a vector-valued header, 
such as SIV, directly realizes this goal. 


_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email