Phillip Rogaway
Mihir Bellare
Ted Krovetz
ABSTRACT
We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M ε {0,1}• using \lceil |M|/n\rceil + 2 block-cipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Charanjit Jutla. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap offset calculations; cheap session setup; a single underlying cryptographic key; no extended-precision addition; a nearly optimal number of block-cipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate the mode's privacy or authenticity in terms of the quality of its block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively.
- 1.J.An and M.Bellare.D es encryption with redundancy provide authenticity?Advances in Cryptology - EUROCRYPT 2001. Lecture Notes in Computer Science,v l.2045,B.P .tzmann,ed., Springer-Verlag,2001.www-cse.ucsd.edu/users/mihir]] Google Scholar
Digital Library
- 2.K.Aoki and H.Lipmaa.Fast implementations f AES candidates.Third AES Candidate Conference, New York City,USA,Apr 2000,pp.106 -120. www.tml.hut../ ~helger]]Google Scholar
- 3.M.Bellare,A.Desai,E.Jokipii,and P.Rogaway.A concrete security treatment of symmetric encryption: Analysis of the DES modes f peration.Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 97),IEEE,1997. www.cs.ucdavis.edu/ ~rogaway]] Google ScholarDigital Library
- 4.M.Bellare,A.Desai,D.Pointcheval,and P.Rogaway.Relations among notions f security for public-key encryption schemes.Advances in Cryptology - CRYPTO '98 Lecture Notes in Computer Science,v l.1462,H.Krawczyk,ed., Springer-Verlag.www.cs.ucdavis.edu/ ~rogaway]] Google ScholarDigital Library
- 5.M.Bellare,R.Guerin,and P.Rogaway."XOR MACs:New methods for message authentication using .nite pseudorandom functions."Advances in Cryptology - CRYPTO '95 Lecture Notes in Computer Science,v l.963,Springer-Verlag, D.Coppersmith,ed.,pp.15 -28,1995. www.cs.ucdavis.edu/ ~rogaway]] Google ScholarDigital Library
- 6.M.Bellare,J.Kilian,and P.Rogaway.The security of the cipher block chaining message authentication code.Journal of Computer and System Sciences v l.61,no.3,Dec 2000.]] Google ScholarDigital Library
- 7.M.Bellare and C.Namprempre.Authenticated encryption:Relations among notions and analysis of the generic composition paradigm.Advances in Cryptology - ASIACRYPT '00 Lecture Notes in Computer Science,v l.1976,T.Okamoto.,ed., Springer-Verlag,2000.www-cse.ucsd.edu/users/mihir]] Google ScholarDigital Library
- 8.M.Bellare and P.Rogaway.Encode-then-encipher encryption:H w to exploit nonces r redundancy in plaintexts for e .cient encryption.Advances in Cryptology - ASIACRYPT '00 Lecture Notes in Computer Science,v l.1976,T.Okamoto.,ed., Springer-Verlag,2000.www.cs.ucdavis.edu/ ~rogaway]] Google ScholarDigital Library
- 9.D.Bleichenbacher.Chosen ciphertext attacks against protocols based n RSA encryption standard PKCS #1.Advances in Cryptology - CRYPTO '98 Lecture Notes in Computer Science,vol.1462,pp.1 -12,1998. www.bell-labs.com/user/bleichen]] Google ScholarDigital Library
- 10.D.Dolev,C.Dwork,and M.Naor.Nonmalleable cryptography.SIAM J. on Comp.,vl.30,n.2, pp.391 -437,2000.]] Google ScholarDigital Library
- 11.V.Gligor and P.Donescu.Integrity-aware PCBC encryption schemes.Security Protocols, 7th International Workshop, Cambridge, UK, April 1999 Proceedings Lecture notes in Computer Science, v l.1796,Springer-Verlag,pp.153 -171,2000.]] Google ScholarDigital Library
- 12.V.Gligor and P.Donescu.Fast encryption and authentication:XCBC encryption and XECB authentication modes.Manuscript,Aug 18,2000. Frmerly available from www.eng.umd.edu/ ~gligor.]]Google Scholar
- 13.V.Gligor and P.Donescu.Fast encryption and authentication:XCBC encryption and XECB authentication modes.Contribution t NIST,Oct 27, 2000.csrc.nist.gov/encryption/aes/modes]]Google Scholar
- 14.V.Gligor and P.Donescu.Fast encryption and authentication:XCBC encryption and XECB authentication modes.Contribution t NIST.Mar 30, 2001,rev.Apr 20,2001. csrc.nist.gov/encryption/modes/prop sedmodes]]Google Scholar
- 15.V.Gligor and P.Donescu.Fast encryption and authentication:XCBC encryption and XECB authentication modes.Fast Software Encryption Lecture Notes in Computer Science,Springer-Verlag, Apr 2001.]] Google ScholarDigital Library
- 16.S.Goldwasser and S.Micali.Probabilistic encryption.Journal of Computer and System Sciences vol.28,Apr 1984,pp.270 -299.]]Google Scholar
- 17.S.Halevi.An observation regarding Jutla 's m des of operation.Cryptology ePrint archive,reference number 2001/015,submitted Feb 22,2001,revised Apr 2,2001.eprint.iacr.org]]Google Scholar
- 18.C.Jutla.Encryption modes with almost free message integrity.Cryptology ePrint archive,rep rt 2000/039, Aug 1,2000.eprint.iacr.org]]Google Scholar
- 19.C.Jutla.Encryption modes with almost free message integrity.Contribution t NIST.Undated manuscript, appearing Oct 2000 at csrc.nist.gov/encryption/modes/workshop1]]Google Scholar
- 20.C.Jutla.Encryption modes with almost free message integrity.Contribution t NIST.P sted May 24,2001 at csrc.nist.gov/encryption/modes/proposedmodes]]Google Scholar
- 21.C.Jutla.Encryption modes with almost free message integrity.Advances in Cryptology - EUROCRYPT 2001. Lecture Notes in Computer Science,vol.2045, B.P .tzmann,ed.,Springer-Verlag,2001.]] Google ScholarDigital Library
- 22.J.Katz and M.Yung.Unforgeable encryption and adaptively secure modes f peration.Fast Software Encryption '00 Lecture Notes in Computer Science, B.Schneier,ed.,2000.]] Google ScholarDigital Library
- 23.J.Katz and M.Yung.Complete characterization f security notions for probabilistic private-key encryption.STOC 2000,pp.245 -254,2000.]] Google ScholarDigital Library
- 24.H.Krawczyk.The rder of encryption and authentication for protecting communications (or: How secure is SSL?).Advances in Cryptology - CRYPTO '01.Springer-Verlag,2001.Earlier version as ePrint rep rt 2001/045,Jun 6,2001. eprint.iacr.org/20001/045]] Google ScholarDigital Library
- 25.H.Lipmaa.Personal communications,Jul 2001. Further information at www.tcs.hut../ ~helger]]Google Scholar
- 26.M.Luby and C.Rack ..How t construct pseudororandom permutations from pseudorandom functions.SIAM J. Computation vol.17,no.2, Apr 1988.]] Google ScholarDigital Library
- 27.M.Matyas and S.Matyas.Cryptography: A new dimension in computer data security. John Wiley & Sons,New Y rk,1982.]]Google Scholar
- 28.RSA Laboratories.PKCS #1:RSA encryption standard,Version 1.5,Nov 1993;and PKCS #1:RSA cryptography speci .cations,Version 2.0,Sep 1998, B.Kaliski and J.Staddon. www.rsasecurity.com/rsalabs/pkcs/pkcs-1]]Google Scholar
- 29.J.Steiner,C.Neuman,and J.Schiller.Kerberos:an authentication service for open network systems. Proceedings of the Winter 1988 Usenix Conference pp.191 -201,1988.]]Google Scholar
- 30.B.Preneel.Cryptographic primitives for information authentication -State of the art.State of the Art in Applied Cryptography COSIC '97,LNCS 1528, B.Preneel and V.Rijmen,eds.,Springer-Verlag, pp.49 -104,1998.]] Google ScholarDigital Library
- 31.P.Rogaway.OCB m de:Parallelizable authenticated encryption.Contribution t NIST,Oct 16,2000. (Preliminary version of the OCB algorithm.) csrc.nist.gov/encryption/modes/workshop1]]Google Scholar
- 32.P.Rogaway (submitter)and M.Bellare,J.Black, and T.Krovetz (auxiliary submitters).OCB m de. Contribution t NIST.Cryptology ePrint archive, rep rt 2001/26,Apr 1,2001,revised Apr 18,2001. ePrint.iacr.org and csrc.nist.gov/encryption/modes/proposedmodes.]]Google Scholar
- 33.P.Rogaway,M.Bellare,J.Black,and T.Krovetz. OCB:A block-cipher m de f peration for e .cient authenticated encryption.Full version f this paper. Aug 2001.www.cs.ucdavis.edu/~rogaway]] Google ScholarDigital Library
- 34.US National Institute f Standards.Specification for the Advanced Encryption Standard (AES).Draft Federal Information Processing Standards,Feb 28, 2001.Based n:J.Daemen and V.Rijmen,AES Proposal:Rijndael.Sep 3,1999.www.nist.gov/aes]]Google Scholar
Index Terms
- OCB: a block-cipher mode of operation for efficient authenticated encryption
Recommendations
OCB: A block-cipher mode of operation for efficient authenticated encryption
We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M ∈ {0, 1}* using ⌈|M|/n⌉ + 2 block-cipher invocations, where n is the block length of ...
XTS: A Mode of AES for Encrypting Hard Disks
The XTS mode of the Advanced Encryption Standard (AES) works within the constraints of hard disks while keeping the security that the AES algorithm provides. It's based on Phil Rogaway's XEX (Xor-Encrypt-Xor) construction and uses ciphertext stealing to ...
Improved convertible authenticated encryption scheme with provable security
Convertible authenticated encryption (CAE) schemes allow a signer to produce an authenticated ciphertext such that only a designated recipient can decrypt it and verify the recovered signature. The conversion property further enables the designated ...
Comments