Pipelineable On-line Encryption
Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been performed. In high-speed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCA-secure on-line ciphers as a practical alternative to AE schemes since the former provide some defense against malicious message modifications. Unfortunately, all published on-line ciphers so far are either inherently sequential, or lack a CCA-security proof.
This paper introduces POE, a family of on-line ciphers that combines provable security against chosen-ciphertext attacks with pipelineability to support efficient implementations. POE combines a block cipher and an \(\epsilon \)-AXU family of hash functions. Different instantiations of POE are given, based on different universal hash functions and suitable for different platforms. Moreover, this paper introduces POET, a provably secure on-line AE scheme, which inherits pipelineability and chosen-ciphertext-security from POE and provides additional resistance against nonce-misuse attacks.
KeywordsOn-line cipher Chosen-ciphertext security Authenticated encryption
We thank all reviewers of the FSE 2014 for their helpful comments and Daniel J. Bernstein and Tetsu Iwata for fruitful discussions. Finally, we thank Jian Guo, Jérémy Jean, Thomas Peyrin, and Lei Wang who pointed out a mismatch between the specified and the analyzed version of POET in the pre-proceedings version .
- 1.Abdelraheem, M.A., Bogdanov, A., Tischhauser, E.: Weak-key analysis of POET. Cryptology ePrint Archive, Report 2014/226 (2014). http://eprint.iacr.org/
- 2.Abed, F., Fluhrer, S., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: Pipelineable on-line encryption. Cryptology ePrint Archive, Report 2014/297 (2014). http://eprint.iacr.org/
- 4.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE(X): authenticated permutation-based encryption with extended security features. In: Directions in Authenticated Ciphers (2013)Google Scholar
- 11.Boldyreva, A.,Taesombut, N.: Online encryption schemes: new security notions and constructions. In: Okamoto , pp. 1–14Google Scholar
- 12.Campbell, C.: Design and specification of cryptographic capabilities. In: Proceedings of the Conference on Computer Security and the Data Encryption Standard Held at the National Bureau of Standards in Gaithersburg, NBS Special Publication, Gaithersburg, Md., February 1978. U.S. National Bureau of StandardsGoogle Scholar
- 15.Datta, N., Nandi, M.: Misuse resistant parallel authenticated encryptions. Cryptology ePrint Archive, Report 2013/767 (2013). http://eprint.iacr.org/
- 16.Datta, N., Nandi, M.: Characterization of EME with linear mixing. Cryptology ePrint Archive, Report 2014/009 (2014). http://eprint.iacr.org/
- 20.Guo, J., Jean, J., Peyrin, T., Lei, W.: Breaking POET authentication with a single query. Cryptology ePrint Archive, Report 2014/197 (2014). http://eprint.iacr.org/
- 22.Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto , pp. 292–304Google Scholar
- 23.IEEE. IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices. IEEE Std. 1619–2007, pp. c1–32 (2008)Google Scholar
- 24.ITU-T. Interfaces for the Optical Transport Network (OTN). Recommendation G.709/Y.1331, International Telecommunication Union, Geneva, December 2009Google Scholar
- 26.Knudsen, L.R.: Block chaining modes of operation. In: Symmetric-Key Block-Cipher Modes of Operation Workshop, October 2000Google Scholar
- 31.McGrew, D., Viega, J.: The Galois/Counter Mode of Operation (GCM). Submission to NIST (2004). http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/gcm-spec.pdf
- 32.Nandi, M.: A Simple Security Analysis of Hash-CBC and a New Efficient One-Key Online Cipher. Cryptology ePrint Archive, Report 2007/158 (2007). http://eprint.iacr.org/
- 34.US Department of Commerce. DES Modes of Operation. Technical report FIPS PUB 81, US Department of Commerce/National Bureau of Standards, December 1998Google Scholar
- 36.Postel, J.: User Datagram Protocol. RFC 768 (INTERNET STANDARD), August 1980Google Scholar
- 37.Postel, J.: Internet Protocol. RFC 791 (INTERNET STANDARD), September 1981. (Updated by RFCs 1349, 2474, 6864)Google Scholar
- 38.Postel, J.: Transmission Control Protocol. RFC 793 (INTERNET STANDARD), September 1981. (Updated by RFCs 1122, 3168, 6093, 6528)Google Scholar
- 44.Young, E.A., Hudson, T.J.: OpenSSL: The Open Source toolkit for SSL/TLS, September 2011. http://www.openssl.org/