Re: [Cfrg] new authenticated encryption draft

Thanks Tom!

FYI, the links to the PDF and PS files are broken on Phil's page at  
http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.html, but I found  
the docs online at http://eprint.iacr.org/2006/221

For others: one of the goals of the Eurocrypt paper was to provide  
'misuse resistant' authenticated encryption, which has bearing on the  
AE draft.  A formal definition of what it means to resist misuse is  
given in Section 7.

David

On Sep 20, 2006, at 1:17 AM, Tom Shrimpton wrote:

> Dear CFRG readers,
>
>  At the risk of seeming like a shameless self-promoter,
>  might I direct your attention to my paper with Phil Rogaway
>  "A Provable-Security Treatment of the Key-Wrap Problem",
>  which appeared at Eurocrypt this year?  In retrospect,
>  the title was perhaps poorly chosen: the initial motivation
>  for the work was to analyze the NIST/ANS X9.102 proposed
>  key-wrapping algorithms, but the main point of the paper
>  is a formal study of deterministic authenticated encryption.
>  The most recent version of the paper, and the specification
>  for our associated Synthetic IV (SIV) blockcipher mode of operation,
>  are available at http://www.cs.ucdavis.edu/~rogaway/papers/ 
> keywrap.html.
>  I've included an abstract, below.
>
> Cheers,
> -Tom
>
> ----------------------
>
> (June-December 2006)        (Permanently)
> Thomas Shrimpton            Thomas Shrimpton
> LACAL/IC                    Dept. of Computer Science
> EPFL                        Portland State University
> Lausanne, Switzerland       Portland, OR USA
> +41.021.693.6685            +1.503.725.5392
>                             teshrim@cs.pdx.edu
>                             www.cs.pdx.edu/~teshrim
>
>
>
> Abstract:
> Standards bodies have been addressing the key-wrap problem,
> a cryptographic goal that has never received a provable-security  
> treatment.
> In response, we provide one, giving definitions, constructions, and  
> proofs.
> We suggest that key-wrap's goal is security in the sense of  
> deterministic
> authenticated-encryption (DAE), a notion that we put forward.
> We also provide an alternative notion, a pseudorandom injection (PRI),
> which we prove to be equivalent. We provide a DAE construction, SIV,
> analyze its concrete security, develop a blockcipher-based  
> instantiation of it,
> and suggest that the method makes a desirable alternative to the  
> schemes
> of the X9.102 draft standard. The construction incorporates a method
> to turn a PRF that operates on a string into an equally efficient PRF
> that operates on a vector of strings, a problem of independent  
> interest.
> Finally, we consider IV-based authenticated-encryption (AE) schemes
> that are maximally forgiving of repeated IVs, a goal we formalize as
> misuse-resistant AE. We show that a DAE scheme with a vector-valued  
> header,
> such as SIV, directly realizes this goal.
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg