research-article

Better Bounds for Block Cipher Modes of Operation via Nonce-Based Key Derivation

Authors:

Shay Gueron and

Yehuda LindellAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

Pages 1019 - 1036

https://doi.org/10.1145/3133956.3133992

Published: 30 October 2017 Publication History

Abstract

Block cipher modes of operation provide a way to securely encrypt using a block cipher. The main factors in analyzing modes of operation are the \emph{level of security} achieved (chosen-plaintext security, authenticated encryption, nonce-misuse resistance, and so on) and \textit{performance}. When measuring the security level of a mode of operation, it does not suffice to consider asymptotics, and a concrete analysis is necessary. This is especially the case today, when encryption rates can be very high, and so birthday bounds may be approached or even reached. In this paper, we show that key-derivation at every encryption significantly improves the security bounds in many cases. We present a new key-derivation method that utilizes a \emph{truncated block cipher}, and show that this is far better than standard block-cipher based key derivation. We prove that by using our key derivation method, we obtain greatly improved bounds for many modes of operation, with a result that the lifetime of a key can be significantly extended. We demonstrate this for AES-CTR (CPA-security), AES-GCM (authenticated encryption) and AES-GCM-SIV (nonce-misuse resistance). Finally, we demonstrate that when using modern hardware with AES instructions (AES-NI), the performance penalty of deriving keys at each encryption is insignificant for most uses.

References

[1]

BoringSSL, https://boringssl.googlesource.com/boringssl/

[2]

RFC5077: Transport Layer Security (TLS) Session Resumption without Server-Side State, https://tools.ietf.org/html/rfc5077#section-4

[3]

A. Abdalla and M. Bellare. Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques. In textitASIACRYPT 2000, Springer (LNCS 1976), pages 546--559, 2000.

[4]

E. Barker and J. Kelsey. Recommendation for Random Number Generation Using Deterministic Random Bit Generators, NIST Special Publication 800--90A.http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800--90Ar1.pdf

[5]

K. Bhargavan and G. Leurent. On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN. In ACM CCS, pages 456--467, 2016.

Digital Library

[6]

E. Biham. How to decrypt or even substitute DES-encrypted messages in $2^28$ steps. Information Processing Letters, 84(3):117--124, 2002.

Digital Library

[7]

H. Bock, A. Zauner, S. Devlin, J. Somorovsky and P. Jovanovic.Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. In the 10th USENIX Workshop on Offensive Technologies (WOOT 16), 2016.

[8]

W. Dai, V.T. Hoang and S. Tessaro.Information-Theoretic Indistinguishability via the Chi-Squared Method. In textitCRYPTO 2017, Springer (LNCS 10403), pages 497--523, 2017.

[9]

M. Dworkin. Recommendation for Block Cipher Modes of Operation:Galois/Counter Mode (GCM) for Confidentiality and Authentication. textitFederalInformation Processing Standard Publication FIPS 800--38D, 2006.http://csrc.nist.gov/publications/nistpubs/800--38D/SP-800--38D.pdf

[10]

S. Gilboa and S. Gueron. How many queries are needed to distinguish a truncated random permutation from a random function?, Journal of Cryptology (2017).

[11]

S. Gilboa and S. Gueron. The Advantage of Truncated Permutations. Manuscript, 2016. https://arxiv.org/abs/1610.02518.

[12]

S. Gueron, Y. Lindell. GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. textit22nd ACM CCS, pages 109--119, 2015.

Digital Library

[13]

S. Gueron, A. Langley, Y. Lindell.AES-GCM-SIV: Specification and Analysis,Cryptology ePrint Archive, Report 2 017/168, 2017. http://eprint.iacr.org/2017/168.

[14]

S. Gueron, A. Langley, Y. Lindell. https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv

[15]

S. Gueron, Y. Lindell, A. Nof and B. Pinkas. Fast Garbling of Circuits Under Standard Assumptions. 22nd ACM CCS, pages 567--578, 2015.

Digital Library

[16]

.A. McGrew and J. ViegaThe Galois/Counter Mode of Operation (GCM). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf

[17]

.A. McGrew and J. ViegaThe Security and Performance of the Galois/Counter Mode (GCM) of Operation. In textitINDOCRYPT 2004, Springer (LNCS 3348), pages 343--355, 2004.

[18]

N. Mouha, A. Luykx. Multi-key Security: The Even-Mansour Construction Revisited. Advances in Cryptology -- CRYPTO 2015, Proceedings Part I, pp. 209--223 (2015).

[19]

QUIC, a multiplexed stream transport over UDP. https://www.chromium.org/quic.

[20]

. Rogaway and T. Shrimpton. Deterministic Authenticated Encryption: A Provable-Security Treatment of the Key-Wrap Problem. In EUROCRYPT 2006, Springer (LNCS 4004), pages 373--390, 2006.

[21]

A. J. Stam, Distance between sampling with and without replacement, Statist. Neerlandica 32 (1978), no. 2, 81--91.

[22]

K. Suzuki, D. Tonien, K. Kurosawa and K. Toyota. Birthday Paradox for Multi-collisions. Proceedings of the textit9th International Conference on Information Security and Cryptology, Springer (LNCS 4296), pages 29--40, 2006.

Digital Library

Cited By

(2024)Block Cipher Modes of Operation for Authentication and ConfidentialityCryptography10.1002/9781394207510.ch9(281-313)Online publication date: 16-Feb-2024
https://doi.org/10.1002/9781394207510.ch9
(2024)Introduction to Security Analysis of Block CiphersCryptography10.1002/9781394207510.ch10(314-337)Online publication date: 16-Feb-2024
https://doi.org/10.1002/9781394207510.ch10
Zhang P(2023)GCM-SIV1.5: Optimal Tradeoff between GCM-SIV1 and GCM-SIV2Entropy10.3390/e2501010725:1(107)Online publication date: 4-Jan-2023
https://doi.org/10.3390/e25010107
Show More Cited By

Index Terms

Better Bounds for Block Cipher Modes of Operation via Nonce-Based Key Derivation
1. Security and privacy
  1. Cryptography
    1. Symmetric cryptography and hash functions
      1. Block and stream ciphers

Recommendations

Post-Quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation
PQCrypto 2016: Proceedings of the 7th International Workshop on Post-Quantum Cryptography - Volume 9606

We examine the IND-qCPA security of the wide-spread block cipher modes of operation CBC, CFB, OFB, CTR, and XTS i.e., security against quantum adversaries doing queries in superposition. We show that OFB and CTR are secure assuming that the underlying ...
Read More
On the Security Bounds of CMC, EME, EME⁺ and EME^* Modes of Operation
Information and Communications Security
Abstract
Since 2002, variants of two tweakable block cipher modes of operation, CMC and EME, have been presented by Halevi and Rogaway that are suitable for encryption of disk sectors. In this paper, we show that the security bounds given in their proofs ...
Read More
NIST Block Cipher Modes of Operation for Authentication and Combined Confidentiality and Authentication

In this paper, we describe the three block cipher modes of operation that have been approved by the National Institute of Standards and Technology for authentication and combined confidentiality and authentication. Each mode specifies an algorithm for ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Best Paper

Author Tags

Qualifiers

Research-article

Data Availability

Yehuda Lindell - Better Bounds Block.mp4 https://dl.acm.org/doi/10.1145/3133956.3133992#Yehuda Lindell - Better Bounds Block.mp4

Funding Sources

Israel Science Foundation

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
334
Total Downloads

Downloads (Last 12 months)35
Downloads (Last 6 weeks)3

Other Metrics

View Author Metrics

Citations

Cited By

(2024)Block Cipher Modes of Operation for Authentication and ConfidentialityCryptography10.1002/9781394207510.ch9(281-313)Online publication date: 16-Feb-2024
https://doi.org/10.1002/9781394207510.ch9
(2024)Introduction to Security Analysis of Block CiphersCryptography10.1002/9781394207510.ch10(314-337)Online publication date: 16-Feb-2024
https://doi.org/10.1002/9781394207510.ch10
Zhang P(2023)GCM-SIV1.5: Optimal Tradeoff between GCM-SIV1 and GCM-SIV2Entropy10.3390/e2501010725:1(107)Online publication date: 4-Jan-2023
https://doi.org/10.3390/e25010107
Bellare MHoang V(2022)Efficient Schemes for Committing Authenticated EncryptionAdvances in Cryptology – EUROCRYPT 202210.1007/978-3-031-07085-3_29(845-875)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1007/978-3-031-07085-3_29
Diemert DGellert KJager TLyu L(2021)Digital Signatures with Memory-Tight Security in the Multi-challenge SettingAdvances in Cryptology – ASIACRYPT 202110.1007/978-3-030-92068-5_14(403-433)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1007/978-3-030-92068-5_14
Hoang VShen YLigatti JOu XKatz JVigna G(2020)Security of Streaming Encryption in Google's Tink LibraryProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417273(243-262)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417273
Brandstetter LFischlin MSchröder RYonli M(2020)On the Memory Fault Resilience of TLS 1.3Security Standardisation Research10.1007/978-3-030-64357-7_1(1-22)Online publication date: 30-Nov-2020
https://dl.acm.org/doi/10.1007/978-3-030-64357-7_1
Gunsing AMennink B(2020)The Summation-Truncation Hybrid: Reusing Discarded Bits for FreeAdvances in Cryptology – CRYPTO 202010.1007/978-3-030-56784-2_7(187-217)Online publication date: 17-Aug-2020
https://dl.acm.org/doi/10.1007/978-3-030-56784-2_7
Bao ZGuo CGuo JSong L(2020)TNT: How to Tweak a Block CipherAdvances in Cryptology – EUROCRYPT 202010.1007/978-3-030-45724-2_22(641-673)Online publication date: 10-May-2020
https://dl.acm.org/doi/10.1007/978-3-030-45724-2_22
Campagna MGueron S(2019)Key Management Systems at the Cloud ScaleCryptography10.3390/cryptography30300233:3(23)Online publication date: 5-Sep-2019
https://doi.org/10.3390/cryptography3030023
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents