Chapter

Topics in Cryptology – CT-RSA 2013

Volume 7779 of the series Lecture Notes in Computer Science pp 359-374

The Low-Call Diet: Authenticated Encryption for Call Counting HSM Users

  • Mike BondAffiliated withCryptomathic A/S
  • , George FrenchAffiliated withBarclays Bank Plc
  • , Nigel P. SmartAffiliated withUniversity of Bristol
  • , Gaven J. WatsonAffiliated withUniversity of Bristol

* Final gross prices may vary according to local VAT.

Get Access

Abstract

We present a new mode of operation for obtaining authenticated encryption suited for use in environments, e.g. banking and government, where cryptographic services are only available via a Hardware Security Module (HSM) which protects the keys but offers a limited API. The practical problem is that despite the existence of better modes of operation, modern HSMs still provide nothing but a basic (unauthenticated) CBC mode of encryption, and since they mediate all access to the key, solutions must work around this. Our mode of operation makes only a single call to the HSM, yet provides a secure authenticated encryption scheme; authentication is obtained by manipulation of the plaintext being passed to the HSM via a call to an unkeyed hash function. The scheme offers a considerable performance improvement compared to more traditional authenticated encryption techniques which must be implemented using multiple calls to the HSM. Our new mode of operation is provided with a proof of security, on the assumption that the underlying block cipher used in the CBC mode is a strong pseudorandom permutation, and that the hash function is modelled as a random oracle.