52 Things: Number 27: What is the AEAD security definition for symmetric key encryption?

52 Things: Number 27: What is the AEAD security definition for symmetric key encryption?


This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. This post will kick off the 'Security Definitions and Proofs' section with a brief overview of Authenticated Encryption.

In a recent post Luke described a number of well-used modes of operation (ECB, CBC and CTR) for blockciphers, modes that provide privacy (confidentiality) only. We may also want integrity from our encryption mechanism, meaning that the recipient is assured that the message it receives is the one sent without accidental changes or intentional tampering, and authenticity meaning that the receiver is convinced of the origin of the message. To get these additional goals we often use a message authentication code (MAC), and the most widely used are those based on blockciphers and those based on hash functions (HMAC). Putting these two primitives together is non-trivial: to get an IND-CCA secure scheme we need to follow the 'Encrypt-then-MAC' paradigm with a secure encryption scheme and a strongly unforgeable MAC, meaning computing the MAC on the ciphertext (see here and here for more info on Encrypt-and-MAC and MAC-then-Encrypt, with a focus on why one should avoid them). The 'AD' refers to variable-length associated data such as packet headers, and we normally expect authenticity and integrity but not confidentiality from this optional component. For further reading and examples, see Adam Langley's blog on the topic.
在最近的一篇文章中,Luke描述了许多用于块密码的常用操作模式(ECB、CBC和CTR),这些模式仅提供隐私(机密性)。我们可能还希望我们的加密机制具有完整性,这意味着接收方可以确保其收到的消息是在没有意外更改或故意篡改的情况下发送的,而真实性意味着接收方确信消息的来源。为了实现这些额外的目标,我们经常使用消息身份验证码(MAC),最广泛使用的是基于块密码的和基于哈希函数的。将这两个基元放在一起是不平凡的:为了获得IND-CCA安全方案,我们需要遵循“先加密后MAC”的范式,使用安全加密方案和强不可伪造的MAC,这意味着在密文上计算MAC(有关加密和MAC以及MAC然后加密的更多信息,请参阅此处和此处,重点是为什么应该避免它们)。“AD”指的是可变长度的相关数据,如数据包标头,我们通常期望此可选组件的真实性和完整性,但不期望机密性。欲了解更多阅读和示例,请参阅Adam Langley关于该主题的博客。

Next week's blog post will see an in-depth overview of IND-CCA2 security in the context of public-key encryption. The 'real-or-random' definition of IND-CCA2 (and IND-CCA1) gives the adversary access to an encryption oracle, which has an encryption key hardwired and on input message m returns either a 'real' encryption Ek(m) or 'fake' Ek($|m|), and a decryption oracle that given a ciphertext c will return Dk(c) - the adversary is then asked to distinguish which world he is in. In 2004 Shrimpton showed that a new notion dubbed IND-CCA3, where the decryption oracle in the 'fake' world is replaced by an oracle that always returns the invalid symbol , is equivalent to the previously considered notion of AE, where the notions of privacy and authenticity/integrity are looked at separately. This observation was incorporated into Rogaway and Shrimpton's paper on the keywrap problem and Deterministic Authenticated Encryption. For more information on the impact of associated data, see here and here.
下周的博客文章将深入介绍公钥加密背景下的IND-CCA2安全性。IND-CCA2(和IND-CCA1)的“真实或随机”定义使对手能够访问加密预言机,该预言机具有硬连接的加密密钥,在输入消息 m 上返回“真实”加密 Ek(m) 或“伪造”#2,而解密预言机给定密文#3将返回#4-然后要求对手区分他所处的世界。2004年,Shrinpton展示了一种被称为IND-CCA3的新概念,其中“伪造”世界中的解密预言机被总是返回无效符号  的预言机取代,这与之前考虑的AE概念相当,其中隐私和真实性的概念/完整性是分开看待的。这一观察结果被纳入了Rogaway和Shrinpton关于密钥封装问题和确定性身份验证加密的论文中。有关关联数据影响的更多信息,请参阅此处和此处。

In practice, a large proportion of traffic uses CCM mode, which is a combination of a blockcipher in counter mode with CBC-MAC with the MAC-then-Encrypt approach, and GCM which uses Encrypt-then-MAC with a blockcipher in counter mode and a polynomial-based hash function called GHASH. CCM is comparatively inefficient as it requires two blockcipher calls per message block and is not online (message length needs to be known before processing can occur), and as this paper by Saarinen shows, GCM has some weak keys.

The CAESAR competition is currently in progress, with the aim of selecting a portfolio of authenticated ciphers for recommendation based on thorough academic public scrutiny. One of the main aims is to get more researchers thinking about such a vital topic, and the large number (and varied nature) of first round submissions indicates this goal has already been achieved. The second round candidates are expected to be announced next week, and an overview of the submissions can be found at the AE Zoo which is run by a number of researchers from DTU.
posted @   3cH0_Nu1L  阅读(16)  评论(0编辑  收藏  举报
· 震惊!C++程序真的从main开始吗?99%的程序员都答错了
· 单元测试从入门到精通
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理
· 上周热点回顾(3.3-3.9)
· winform 绘制太阳,地球,月球 运作规律


