π–Cipher v2 - Google Groups

Download PDF
2 downloads 54 Views 82KB Size Report
Comment
2ITEM, Norwegian University of Science and Technology, Trondheim, Norway .... rn a l. S ta te. C. I. S tag T. C1. Mm pct
π–Cipher v2

1

Designers: Danilo Gligoroski2 and Hristina Mihajloska3 and Simona Samardjiska23 and H˚ akon Jacobsen2 and Mohamed El-Hadedy2 and Rune Erlend Jensen4

Submitter: Hristina Mihajloska [email protected]

Appendix ”How to securely do incremental encryption with π-Cipher (even with nonce misuse)” March 2015

1

Since, the name of the cipher contains the Greek letter π, in the software implementations we will use the name PiCipher. 2 ITEM, Norwegian University of Science and Technology, Trondheim, Norway 3 FCSE, ”Ss Cyril and Methodius” University, Skopje, Republic of Macedonia 4 IDI, Norwegian University of Science and Technology, Trondheim, Norway

Appendix: How to securely do incremental encryption with π-Cipher (even with nonce misuse) In the original documentation for π-Cipher v1.0 [1] there is a short mentioning about the Incrementality feature of π-Cipher: Incrementality. The π-Cipher is an incremental authenticated cipher. Unlike AES-GCM which also has the incremental property, the π-Cipher computes the incremented tag with a constant number of operations regardless of the relative position of the changed plaintext block in the whole encrypted plaintext. This is the only information about the incrementality feature. There is no further explanation how incremental update works, what is the update algorithm and what are the assumptions for this feature of π-Cipher to be secure. In the mean time, Abed, Forler and Lucks published the paper ”General Overview of the First-Round CAESAR Candidates for Authenticated Ecryption” [2]. For the ”Incremental Authenticated Encryption” they took the following (in our opinion correct) criteria: ”Note that some schemes may provide this property under the requirement of reusing the nonce. We consider nonce misuse to be an erroneous usage which should not be encouraged to obtain a nice feature. Hence, we denote

2

3 scheme to provide incremental authenticated encryption only if the nonce is used only once and never is repeated.” By this criteria, they correctly categorized π-Cipher as non-incremental cipher. In this note we explain how π-Cipher can be used as incremental authenticated cipher, that complies with the criteria of Abed, Forler and Lucks for incremental authenticated encryption. It comes with a costs of an additional data overhead of 64 bits per encrypted block. That data overhead serves as an update counter UpdCtr, that records the history of updates for every data block. The default block sizes for π-Cipher are 128, 256 or 512 bits. Adding a data overhead of 64 bits for every data block would be an enormous and unacceptable overhead of 50%, 25% or 12.5%. Luckily, π-Cipher is designed to be tweakable for different word sizes, different security levels and different block sizes. Recently we posted an appendix describing variants of π-Cipher with block sizes of 512B, 2KB, 4KB, 8KB and 16KB. For those sizes the corresponding percentage of the overhead of 64 bits is: 1.5%, 0.39%, 0.19%, 0.09% and 0.04%. For even bigger block sizes, this overhead can become negligible.

Algorithm 1 - Incremental tag update operation Input. The common internal state CIS, ctr ` a ` 1, the block index i, the old block Mi , the update counter for that block U pdCtri , the new block Mi1 and the old tag value T . Output. A new ciphertext block Ci and a new tag T . 1. For the old block Mi , calculate: IS Ð πpCIS À bitrate ‘ ppctr ` a ` 1q ` i k U pdCtri q kk CIScapacity q; Ci Ð Mi ISbitrate ; ti Ð πpCi kk IScapacity qbitrate ; 2. Increase the value of the update counter U pdCtri Ð U pdCtri ` 1 3. For the new block Mi1 , calculate: IS Ð πpCIS À bitrate ‘ ppctr ` a ` 1q ` i k U pdCtri q kk CIScapacity q; Ci1 Ð Mi1 ISbitrate ; t1i Ð πpCi1 kk IScapacity qbitrate ; Ð 4. Combine T , ti and t1i via a combining group operation 64 to get the final Ñ Ð 1 1 authentication tag value T “ T 64 ti 64 ti ; 5. Replace: Ci Ð Ci1 and T Ð T 1 ; 6. Output Ci and T .

Table 1: Incremental authentication encryption update with π-Cipher.

4 Note that in case that the user do not want to keep in memory the precomputed values for CIS and ctr ` a ` 1 then he/she has to execute again the Initialization phase with the secret key K and the nonce part P MN, then will have to process the associated data and finally to encrypt again SMN. As it is shown in Step 1 and Step 3, the incremental authentication encryption mode works in such a way that the 64-bit update counters UpdCtri are injected in the sponge permutation state concatenated to the block counters. That means that the vectors pP MN, SMN, ctr, UpdCtri q form a unique nonce, for every block Mi , thus there is no nonce repetition and misuse. A graphical presentation of the encryption phase in this incremental authenticated encryption mode of π-Cipher is given in Figure 1.

5

M1

t1

pctr ` a ` 1q ` m||U pdCtrm

π function Cm

Mm

tag T 2 tag T

π function

tm

π function

Common Internal State CIS

C1

π function

Common Internal State CIS

pctr ` a ` 1q ` 1||U pdCtr1

Figure 1: Processing the message M with m blocks in parallel. Here the 64-bit update counters UpdCtri are injected into the sponge state.

References [1] Danilo Gligoroski, Hristina Mihajloska, Simona Samardjiska, Hakon Jacobsen, Mohamed El-Hadedy, and Rune Erlend Jensen. π-cipher v1. Cryptographic competitions: CAESAR, 2014. http://competitions.cr.yp.to/caesar-submissions.htmls. [2] Farzaneh Abed, Christian Forler, Stefan Lucks. General Overview of the First-Round CAESAR Candidates for Authenticated Ecryption. Cryptology ePrint Archive, Report 2014/792, 2014. http://eprint.iacr.org/.

6

Suggest Documents

π–Cipher v2 - Google Groups

π–Cipher v2 - Google Groups
Read more
Cryptanalysis of Lightweight Authenticated Cipher ... - Google Groups

Cryptanalysis of Lightweight Authenticated Cipher ... - Google Groups
Read more
Fault Attack on the Authenticated Cipher ACORN v2

Fault Attack on the Authenticated Cipher ACORN v2
Read more
2014 Mail Bio Book V2.indd - Google Groups

2014 Mail Bio Book V2.indd - Google Groups
Read more
arXiv:astro-ph/0310607 v2 2 Feb 2004 - Google Groups

arXiv:astro-ph/0310607 v2 2 Feb 2004 - Google Groups
Read more
Permutation Groups and the Solution of German Enigma Cipher

Permutation Groups and the Solution of German Enigma Cipher
Read more
The Shadow Cipher - Google Sites

The Shadow Cipher - Google Sites
Read more
Stream cipher

Stream cipher
Read more
Cipher sleuth

Cipher sleuth
Read more
v2

v2
Read more
Bingo v2 GB - Google

Bingo v2 GB - Google
Read more
Developing a Modified Hybrid Caesar Cipher and Vigenere Cipher for ...

Developing a Modified Hybrid Caesar Cipher and Vigenere Cipher for ...
Read more
238+Reviews; V2 Promo Codes - V2 Cigs Coupon ... - Google Sites

238+Reviews; V2 Promo Codes - V2 Cigs Coupon ... - Google Sites
Read more
vigenere cipher example pdf - Google Drive

vigenere cipher example pdf - Google Drive
Read more
THROUGHPUT OPTIMIZATION OF THE CIPHER ... - Google Sites

THROUGHPUT OPTIMIZATION OF THE CIPHER ... - Google Sites
Read more
The Expeditious Cipher (X-cipher)IJCSCS - Magdy Saeb

The Expeditious Cipher (X-cipher)IJCSCS - Magdy Saeb
Read more
THROUGHPUT OPTIMIZATION OF THE CIPHER ... - Google Sites

THROUGHPUT OPTIMIZATION OF THE CIPHER ... - Google Sites
Read more
Block cipher, etc.

Block cipher, etc.
Read more
The LED Block Cipher

The LED Block Cipher
Read more
The Cipher SHARK - CiteSeerX

The Cipher SHARK - CiteSeerX
Read more
Steam Cipher Topics

Steam Cipher Topics
Read more
Copiale cipher - STP

Copiale cipher - STP
Read more
366+Reviews; V2 Discounts - Sisel Live Intro V2 - Google Sites

366+Reviews; V2 Discounts - Sisel Live Intro V2 - Google Sites
Read more
12 Example: Playfair Cipher

12 Example: Playfair Cipher
Read more