Top Banner
Silver and AESCPFB Miguel Montes 1 Daniel Penazzi 2 1 Instituto Universitario Aeronáutico, Córdoba, Argentina 2 Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina 23,24-8-14 Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Silver and AESCPFB DIAC14 1 / 22
94

Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Sep 03, 2019

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver and AESCPFB

Miguel Montes1 Daniel Penazzi2

1Instituto Universitario Aeronáutico, Córdoba, Argentina

2Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba,Argentina

23,24-8-14

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 1 / 22

Page 2: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Table of Contents

1 Overview

2 Silver

3 CPFB

4 Comments

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 2 / 22

Page 3: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Overview

Table of Contents

1 Overview

2 Silver

3 CPFB

4 Comments

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 3 / 22

Page 4: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Overview

CPFB is a mode of operation, uses AES as a black box, includingthe key expansion.

Silver is a tweak of AES. The tweak can be thought to be whollycontained within the key expansion, thus only theencryption/decryption component of AES can be used as a blackbox.Silver is basically ECB with a change in the key expansion oneach block, CPFB is a mix of counter mode with PlaintextFeedback mode.Silver can be paralellized on both encryption and decryption,CPFB only on encryption.CPFB only requires the encryption module of AES, Silver requiresboth the encryption and decryption modules.They both are based wholly on AES. (no Galois Field operationsor calls to other hashes or MACs).They both use the nonce and master key to derive session keys.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 4 / 22

Page 5: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Overview

CPFB is a mode of operation, uses AES as a black box, includingthe key expansion.Silver is a tweak of AES. The tweak can be thought to be whollycontained within the key expansion, thus only theencryption/decryption component of AES can be used as a blackbox.

Silver is basically ECB with a change in the key expansion oneach block, CPFB is a mix of counter mode with PlaintextFeedback mode.Silver can be paralellized on both encryption and decryption,CPFB only on encryption.CPFB only requires the encryption module of AES, Silver requiresboth the encryption and decryption modules.They both are based wholly on AES. (no Galois Field operationsor calls to other hashes or MACs).They both use the nonce and master key to derive session keys.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 4 / 22

Page 6: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Overview

CPFB is a mode of operation, uses AES as a black box, includingthe key expansion.Silver is a tweak of AES. The tweak can be thought to be whollycontained within the key expansion, thus only theencryption/decryption component of AES can be used as a blackbox.Silver is basically ECB with a change in the key expansion oneach block, CPFB is a mix of counter mode with PlaintextFeedback mode.

Silver can be paralellized on both encryption and decryption,CPFB only on encryption.CPFB only requires the encryption module of AES, Silver requiresboth the encryption and decryption modules.They both are based wholly on AES. (no Galois Field operationsor calls to other hashes or MACs).They both use the nonce and master key to derive session keys.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 4 / 22

Page 7: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Overview

CPFB is a mode of operation, uses AES as a black box, includingthe key expansion.Silver is a tweak of AES. The tweak can be thought to be whollycontained within the key expansion, thus only theencryption/decryption component of AES can be used as a blackbox.Silver is basically ECB with a change in the key expansion oneach block, CPFB is a mix of counter mode with PlaintextFeedback mode.Silver can be paralellized on both encryption and decryption,CPFB only on encryption.

CPFB only requires the encryption module of AES, Silver requiresboth the encryption and decryption modules.They both are based wholly on AES. (no Galois Field operationsor calls to other hashes or MACs).They both use the nonce and master key to derive session keys.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 4 / 22

Page 8: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Overview

CPFB is a mode of operation, uses AES as a black box, includingthe key expansion.Silver is a tweak of AES. The tweak can be thought to be whollycontained within the key expansion, thus only theencryption/decryption component of AES can be used as a blackbox.Silver is basically ECB with a change in the key expansion oneach block, CPFB is a mix of counter mode with PlaintextFeedback mode.Silver can be paralellized on both encryption and decryption,CPFB only on encryption.CPFB only requires the encryption module of AES, Silver requiresboth the encryption and decryption modules.

They both are based wholly on AES. (no Galois Field operationsor calls to other hashes or MACs).They both use the nonce and master key to derive session keys.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 4 / 22

Page 9: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Overview

CPFB is a mode of operation, uses AES as a black box, includingthe key expansion.Silver is a tweak of AES. The tweak can be thought to be whollycontained within the key expansion, thus only theencryption/decryption component of AES can be used as a blackbox.Silver is basically ECB with a change in the key expansion oneach block, CPFB is a mix of counter mode with PlaintextFeedback mode.Silver can be paralellized on both encryption and decryption,CPFB only on encryption.CPFB only requires the encryption module of AES, Silver requiresboth the encryption and decryption modules.They both are based wholly on AES. (no Galois Field operationsor calls to other hashes or MACs).

They both use the nonce and master key to derive session keys.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 4 / 22

Page 10: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Overview

CPFB is a mode of operation, uses AES as a black box, includingthe key expansion.Silver is a tweak of AES. The tweak can be thought to be whollycontained within the key expansion, thus only theencryption/decryption component of AES can be used as a blackbox.Silver is basically ECB with a change in the key expansion oneach block, CPFB is a mix of counter mode with PlaintextFeedback mode.Silver can be paralellized on both encryption and decryption,CPFB only on encryption.CPFB only requires the encryption module of AES, Silver requiresboth the encryption and decryption modules.They both are based wholly on AES. (no Galois Field operationsor calls to other hashes or MACs).They both use the nonce and master key to derive session keys.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 4 / 22

Page 11: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Table of Contents

1 Overview

2 Silver

3 CPFB

4 Comments

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 5 / 22

Page 12: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

We wanted Silver to be AES based parallelizable in bothencryption and decryption.

So we chose a tweaked ECB mode.The tweak consist in changing some round keys.We chose the 1st,5th and 9th round keys to take advantage of theAES 4 round property.The change to the rounds is a simple xor with a counter, but thecounter is key and nonce dependent.key and nonce of 128 bits each.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 6 / 22

Page 13: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

We wanted Silver to be AES based parallelizable in bothencryption and decryption.So we chose a tweaked ECB mode.

The tweak consist in changing some round keys.We chose the 1st,5th and 9th round keys to take advantage of theAES 4 round property.The change to the rounds is a simple xor with a counter, but thecounter is key and nonce dependent.key and nonce of 128 bits each.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 6 / 22

Page 14: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

We wanted Silver to be AES based parallelizable in bothencryption and decryption.So we chose a tweaked ECB mode.The tweak consist in changing some round keys.

We chose the 1st,5th and 9th round keys to take advantage of theAES 4 round property.The change to the rounds is a simple xor with a counter, but thecounter is key and nonce dependent.key and nonce of 128 bits each.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 6 / 22

Page 15: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

We wanted Silver to be AES based parallelizable in bothencryption and decryption.So we chose a tweaked ECB mode.The tweak consist in changing some round keys.We chose the 1st,5th and 9th round keys to take advantage of theAES 4 round property.

The change to the rounds is a simple xor with a counter, but thecounter is key and nonce dependent.key and nonce of 128 bits each.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 6 / 22

Page 16: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

We wanted Silver to be AES based parallelizable in bothencryption and decryption.So we chose a tweaked ECB mode.The tweak consist in changing some round keys.We chose the 1st,5th and 9th round keys to take advantage of theAES 4 round property.The change to the rounds is a simple xor with a counter, but thecounter is key and nonce dependent.

key and nonce of 128 bits each.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 6 / 22

Page 17: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

We wanted Silver to be AES based parallelizable in bothencryption and decryption.So we chose a tweaked ECB mode.The tweak consist in changing some round keys.We chose the 1st,5th and 9th round keys to take advantage of theAES 4 round property.The change to the rounds is a simple xor with a counter, but thecounter is key and nonce dependent.key and nonce of 128 bits each.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 6 / 22

Page 18: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).

κ = AESkey (npub),

counter ← {0}128, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete block

counter ← counter +temprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)encrypt Pi using AES with temprkeys to obtain CiXT ← XT ⊕ Pi

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 19: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).

κ = AESkey (npub),

counter ← {0}128, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete block

counter ← counter +temprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)encrypt Pi using AES with temprkeys to obtain CiXT ← XT ⊕ Pi

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 20: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).

κ = AESkey (npub),

counter ← {0}128, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete block

counter ← counter +

temprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)

encrypt Pi using AES with temprkeys to obtain CiXT ← XT ⊕ Pi

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 21: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).κ = AESkey (npub),

counter ← {0}128, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete block

counter ← counter +

temprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)

encrypt Pi using AES with temprkeys to obtain CiXT ← XT ⊕ Pi

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 22: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).κ = AESkey (npub),

counter ← {0}128, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete block

counter ← counter +

temprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)

encrypt Pi using AES with temprkeys to obtain CiXT ← XT ⊕ Pi

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 23: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).κ = AESkey (npub), counter ← {0}128

, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete blockcounter ← counter + 1temprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)

encrypt Pi using AES with temprkeys to obtain CiXT ← XT ⊕ Pi

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 24: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).κ = AESkey (npub), counter ← {0}128

, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete blockcounter ← counter + ICtemprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)

encrypt Pi using AES with temprkeys to obtain CiXT ← XT ⊕ Pi

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 25: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).κ = AESkey (npub), counter ← {0}128

, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete blockcounter ← counter + ICtemprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)

encrypt Pi using AES with temprkeys to obtain CiXT ← XT ⊕ Pi

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 26: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).κ = AESkey (npub), counter ← {0}128

, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete blockcounter ← counter + ICtemprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)encrypt Pi using AES with temprkeys to obtain Ci

XT ← XT ⊕ Pi

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 27: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).κ = AESkey (npub), counter ← {0}128, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete blockcounter ← counter + ICtemprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)encrypt Pi using AES with temprkeys to obtain CiXT ← XT ⊕ Pi

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 28: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).κ = AESkey (npub), counter ← {0}128, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete blockcounter ← counter + ICtemprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)encrypt Pi using AES with temprkeys to obtain CiXT ← XT ⊕ Pi ⊕ Ci

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 29: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Encrypt(P, roundkeys, κ, IC)

+ is the sum of (ZZ/264ZZ )× (ZZ/264ZZ )

Split P into 128 bit blocks, last block partial if necesary (no pad).κ = AESkey (npub), counter ← {0}128, XT ← {0}128

IC ← AESroundkey9(κ)OR([1]64 || [1]64)

For i ← 1...last complete blockcounter ← counter + ICtemprkeysi = roundkeysi , (i 6= 1,5,9)temprkeysi = roundkeysi ⊕ (κ+ counter), (i = 1,5,9)encrypt Pi using AES with temprkeys to obtain CiXT ← XT ⊕ Pi ⊕ (Ci + κ+ counter)

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 7 / 22

Page 30: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

If there is a last incomplete block of ` bytes:Encrypt with, basically, counter mode:

bP =[|P|8

]64

counter ← counter + ICtmp = encrypt (bP||bP) with roundkeys associated to the counter.Split tmp in bytes tmp1||tmp2||...||tmp16

Cs = Ps ⊕ (tmp1||...||tmp`)to authenticate:B = Ps||tmp`+1||...||tmp15|| [`]8counter ← counter + ICXT ← XT ⊕ ( encryption of B with AES using roundkeysassociated to the new counter)

Return (C,XT )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 8 / 22

Page 31: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

If there is a last incomplete block of ` bytes:Encrypt with, basically, counter mode:

bP =[|P|8

]64

counter ← counter + ICtmp = encrypt (bP||bP) with roundkeys associated to the counter.Split tmp in bytes tmp1||tmp2||...||tmp16

Cs = Ps ⊕ (tmp1||...||tmp`)to authenticate:B = Ps||tmp`+1||...||tmp15|| [`]8counter ← counter + ICXT ← XT ⊕ ( encryption of B with AES using roundkeysassociated to the new counter)

Return (C,XT )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 8 / 22

Page 32: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

If there is a last incomplete block of ` bytes:Encrypt with, basically, counter mode:

bP =[|P|8

]64

counter ← counter + ICtmp = encrypt (bP||bP) with roundkeys associated to the counter.Split tmp in bytes tmp1||tmp2||...||tmp16

Cs = Ps ⊕ (tmp1||...||tmp`)

to authenticate:B = Ps||tmp`+1||...||tmp15|| [`]8counter ← counter + ICXT ← XT ⊕ ( encryption of B with AES using roundkeysassociated to the new counter)

Return (C,XT )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 8 / 22

Page 33: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

If there is a last incomplete block of ` bytes:Encrypt with, basically, counter mode:

bP =[|P|8

]64

counter ← counter + ICtmp = encrypt (bP||bP) with roundkeys associated to the counter.Split tmp in bytes tmp1||tmp2||...||tmp16

Cs = Ps ⊕ (tmp1||...||tmp`)to authenticate:

B = Ps||tmp`+1||...||tmp15|| [`]8counter ← counter + ICXT ← XT ⊕ ( encryption of B with AES using roundkeysassociated to the new counter)

Return (C,XT )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 8 / 22

Page 34: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

If there is a last incomplete block of ` bytes:Encrypt with, basically, counter mode:

bP =[|P|8

]64

counter ← counter + ICtmp = encrypt (bP||bP) with roundkeys associated to the counter.Split tmp in bytes tmp1||tmp2||...||tmp16

Cs = Ps ⊕ (tmp1||...||tmp`)to authenticate:B = Ps||tmp`+1||...||tmp15|| [`]8counter ← counter + ICXT ← XT ⊕ ( encryption of B with AES using roundkeysassociated to the new counter)Return (C,XT )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 8 / 22

Page 35: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

ProcessAD(A, roundkeys, κ, IC)

Split A in 128 bits blocks, padding with bytes 1,0,...,0 if necessary(but only if necesary).

Encrypt the blocks with roundkeys associated to counters, but thistime the counter increases by AIC = IC&({1}64||{0}64).If the last block is complete, use the counter that would go there,else, use counter 0.Xor all the ciphertexts to form an AD tag AT.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 9 / 22

Page 36: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

ProcessAD(A, roundkeys, κ, IC)

Split A in 128 bits blocks, padding with bytes 1,0,...,0 if necessary(but only if necesary).Encrypt the blocks with roundkeys associated to counters, but thistime the counter increases by AIC = IC&({1}64||{0}64).

If the last block is complete, use the counter that would go there,else, use counter 0.Xor all the ciphertexts to form an AD tag AT.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 9 / 22

Page 37: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

ProcessAD(A, roundkeys, κ, IC)

Split A in 128 bits blocks, padding with bytes 1,0,...,0 if necessary(but only if necesary).Encrypt the blocks with roundkeys associated to counters, but thistime the counter increases by AIC = IC&({1}64||{0}64).If the last block is complete, use the counter that would go there,else, use counter 0.

Xor all the ciphertexts to form an AD tag AT.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 9 / 22

Page 38: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

ProcessAD(A, roundkeys, κ, IC)

Split A in 128 bits blocks, padding with bytes 1,0,...,0 if necessary(but only if necesary).Encrypt the blocks with roundkeys associated to counters, but thistime the counter increases by AIC = IC&({1}64||{0}64).If the last block is complete, use the counter that would go there,else, use counter 0.Xor all the ciphertexts to form an AD tag AT.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 9 / 22

Page 39: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Tag

Obtain AT ,XT as above.

Final tag T is the encryption of AT ⊕ XT with AES and roundkeysgiven by:

roundkeys changed by using counter g ←([|A|8

]64||[|P|8

]64

)and changing the order of the roundkeys using the permutation(2,3,4,6,7,8,10,0)(9,1,5)

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 10 / 22

Page 40: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Tag

Obtain AT ,XT as above.Final tag T is the encryption of AT ⊕ XT with AES and roundkeysgiven by:

roundkeys changed by using counter g ←([|A|8

]64||[|P|8

]64

)and changing the order of the roundkeys using the permutation(2,3,4,6,7,8,10,0)(9,1,5)

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 10 / 22

Page 41: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Tag

Obtain AT ,XT as above.Final tag T is the encryption of AT ⊕ XT with AES and roundkeysgiven by:

roundkeys changed by using counter g ←([|A|8

]64||[|P|8

]64

)

and changing the order of the roundkeys using the permutation(2,3,4,6,7,8,10,0)(9,1,5)

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 10 / 22

Page 42: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Tag

Obtain AT ,XT as above.Final tag T is the encryption of AT ⊕ XT with AES and roundkeysgiven by:

roundkeys changed by using counter g ←([|A|8

]64||[|P|8

]64

)and changing the order of the roundkeys using the permutation(2,3,4,6,7,8,10,0)(9,1,5)

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 10 / 22

Page 43: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Tag

Obtain AT ,XT as above.Final tag T is the encryption of AT ⊕ XT with AES and roundkeysgiven by:

roundkeys changed by using counter g ←([|A|8

]64||[|P|8

]64

)and changing the order of the roundkeys using the permutation(2,3,4,6,7,8,10,0)(9,1,5)

Decryption and Verification are the obvious ones.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 10 / 22

Page 44: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

In addition to the tweak on each block, Silver changes the keyexpansion of AES so that the nonce also influences the roundkeys:

κ = AESkey (npub)roundkey0 = AESroundkey0(key)⊕ AESroundkey1(κ)

roundkeyi = AESroundkeyi(key)⊕ AESroundkeyi(κ), i 6= 0,1,9roundkeyi = AESroundkeyi(key), i ← 1,9

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 11 / 22

Page 45: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

In addition to the tweak on each block, Silver changes the keyexpansion of AES so that the nonce also influences the roundkeys:κ = AESkey (npub)

roundkey0 = AESroundkey0(key)⊕ AESroundkey1(κ)

roundkeyi = AESroundkeyi(key)⊕ AESroundkeyi(κ), i 6= 0,1,9roundkeyi = AESroundkeyi(key), i ← 1,9

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 11 / 22

Page 46: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

In addition to the tweak on each block, Silver changes the keyexpansion of AES so that the nonce also influences the roundkeys:κ = AESkey (npub)

roundkey0 = AESroundkey0(key)⊕ AESroundkey1(κ)

roundkeyi = AESroundkeyi(key)⊕ AESroundkeyi(κ), i 6= 0,1,9

roundkeyi = AESroundkeyi(key), i ← 1,9

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 11 / 22

Page 47: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

In addition to the tweak on each block, Silver changes the keyexpansion of AES so that the nonce also influences the roundkeys:κ = AESkey (npub)

roundkey0 = AESroundkey0(key)⊕ AESroundkey1(κ)

roundkeyi = AESroundkeyi(key)⊕ AESroundkeyi(κ), i 6= 0,1,9roundkeyi = AESroundkeyi(key), i ← 1,9

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 11 / 22

Page 48: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

In addition to the tweak on each block, Silver changes the keyexpansion of AES so that the nonce also influences the roundkeys:κ = AESkey (npub)roundkey0 = AESroundkey0(key)⊕ AESroundkey1(κ)

roundkeyi = AESroundkeyi(key)⊕ AESroundkeyi(κ), i 6= 0,1,9roundkeyi = AESroundkeyi(key), i ← 1,9

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 11 / 22

Page 49: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Some of these details have as objective blocking some attacks. Forexample:

We use a mix of the expanded keys of key and κ instead of onlythe expanded keys of κ to prevent a key collision attack.

We use the plaintext and the ciphertext for the plaintext tag butonly the ciphertext (which is never seen by the adversary) for theassociated data tag, thus these two parts are treated differently.To further differentiate, the IC used is different.The order of the round keys for the tag is different to ensure thatthat call to the encryption function is not used elsewhere.Several measures ensure that an attempted forgery must be donewith equal lengths texts.The masking of the ciphertext in the construction of XT is there togive some protection in the case that the nonce is repeated bymistake.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 12 / 22

Page 50: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Some of these details have as objective blocking some attacks. Forexample:

We use a mix of the expanded keys of key and κ instead of onlythe expanded keys of κ to prevent a key collision attack.We use the plaintext and the ciphertext for the plaintext tag butonly the ciphertext (which is never seen by the adversary) for theassociated data tag, thus these two parts are treated differently.

To further differentiate, the IC used is different.The order of the round keys for the tag is different to ensure thatthat call to the encryption function is not used elsewhere.Several measures ensure that an attempted forgery must be donewith equal lengths texts.The masking of the ciphertext in the construction of XT is there togive some protection in the case that the nonce is repeated bymistake.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 12 / 22

Page 51: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Some of these details have as objective blocking some attacks. Forexample:

We use a mix of the expanded keys of key and κ instead of onlythe expanded keys of κ to prevent a key collision attack.We use the plaintext and the ciphertext for the plaintext tag butonly the ciphertext (which is never seen by the adversary) for theassociated data tag, thus these two parts are treated differently.To further differentiate, the IC used is different.

The order of the round keys for the tag is different to ensure thatthat call to the encryption function is not used elsewhere.Several measures ensure that an attempted forgery must be donewith equal lengths texts.The masking of the ciphertext in the construction of XT is there togive some protection in the case that the nonce is repeated bymistake.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 12 / 22

Page 52: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Some of these details have as objective blocking some attacks. Forexample:

We use a mix of the expanded keys of key and κ instead of onlythe expanded keys of κ to prevent a key collision attack.We use the plaintext and the ciphertext for the plaintext tag butonly the ciphertext (which is never seen by the adversary) for theassociated data tag, thus these two parts are treated differently.To further differentiate, the IC used is different.The order of the round keys for the tag is different to ensure thatthat call to the encryption function is not used elsewhere.

Several measures ensure that an attempted forgery must be donewith equal lengths texts.The masking of the ciphertext in the construction of XT is there togive some protection in the case that the nonce is repeated bymistake.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 12 / 22

Page 53: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Some of these details have as objective blocking some attacks. Forexample:

We use a mix of the expanded keys of key and κ instead of onlythe expanded keys of κ to prevent a key collision attack.We use the plaintext and the ciphertext for the plaintext tag butonly the ciphertext (which is never seen by the adversary) for theassociated data tag, thus these two parts are treated differently.To further differentiate, the IC used is different.The order of the round keys for the tag is different to ensure thatthat call to the encryption function is not used elsewhere.Several measures ensure that an attempted forgery must be donewith equal lengths texts.

The masking of the ciphertext in the construction of XT is there togive some protection in the case that the nonce is repeated bymistake.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 12 / 22

Page 54: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

Some of these details have as objective blocking some attacks. Forexample:

We use a mix of the expanded keys of key and κ instead of onlythe expanded keys of κ to prevent a key collision attack.We use the plaintext and the ciphertext for the plaintext tag butonly the ciphertext (which is never seen by the adversary) for theassociated data tag, thus these two parts are treated differently.To further differentiate, the IC used is different.The order of the round keys for the tag is different to ensure thatthat call to the encryption function is not used elsewhere.Several measures ensure that an attempted forgery must be donewith equal lengths texts.The masking of the ciphertext in the construction of XT is there togive some protection in the case that the nonce is repeated bymistake.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 12 / 22

Page 55: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Silver

In cycles per byte (cpb) on Haswell Silver runs at:With AESNI instructions

encrypts at:0,73 cpb for long messages1 cpb for 1536 bytes10,8 cpb for 44 bytes.

decrypts at:0,81 cpb for long messages1,2cpb for 1536 bytes9,6 cpb for 44 bytes.

Without AESNI the numbers are:11,45/12,9 cpb for long messages,11,85/13,59 for 1536 bytes30,4/28,2 cpb for 44 bytes.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 13 / 22

Page 56: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Table of Contents

1 Overview

2 Silver

3 CPFB

4 Comments

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 14 / 22

Page 57: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

CPFB (Counter/Plaintext Feedback) combines CTR y PFB.

CTR provides security.PFB gives an authenticator.PFB is little used partly because it can be vulnerable to a chosenplaintext attack. Its combination with CTR prevents this.CTR and PFB allows paralellization on the encryption, but PFBprevents paralellization on decryption.Public message number must be a nonce between 8 and 15 bytes.Key can be 128 or 256 bits.Message is split into 96-bit blocks, each one concatenated with a32 bit counter.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 15 / 22

Page 58: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

CPFB (Counter/Plaintext Feedback) combines CTR y PFB.CTR provides security.

PFB gives an authenticator.PFB is little used partly because it can be vulnerable to a chosenplaintext attack. Its combination with CTR prevents this.CTR and PFB allows paralellization on the encryption, but PFBprevents paralellization on decryption.Public message number must be a nonce between 8 and 15 bytes.Key can be 128 or 256 bits.Message is split into 96-bit blocks, each one concatenated with a32 bit counter.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 15 / 22

Page 59: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

CPFB (Counter/Plaintext Feedback) combines CTR y PFB.CTR provides security.PFB gives an authenticator.

PFB is little used partly because it can be vulnerable to a chosenplaintext attack. Its combination with CTR prevents this.CTR and PFB allows paralellization on the encryption, but PFBprevents paralellization on decryption.Public message number must be a nonce between 8 and 15 bytes.Key can be 128 or 256 bits.Message is split into 96-bit blocks, each one concatenated with a32 bit counter.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 15 / 22

Page 60: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

CPFB (Counter/Plaintext Feedback) combines CTR y PFB.CTR provides security.PFB gives an authenticator.PFB is little used partly because it can be vulnerable to a chosenplaintext attack. Its combination with CTR prevents this.

CTR and PFB allows paralellization on the encryption, but PFBprevents paralellization on decryption.Public message number must be a nonce between 8 and 15 bytes.Key can be 128 or 256 bits.Message is split into 96-bit blocks, each one concatenated with a32 bit counter.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 15 / 22

Page 61: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

CPFB (Counter/Plaintext Feedback) combines CTR y PFB.CTR provides security.PFB gives an authenticator.PFB is little used partly because it can be vulnerable to a chosenplaintext attack. Its combination with CTR prevents this.CTR and PFB allows paralellization on the encryption, but PFBprevents paralellization on decryption.

Public message number must be a nonce between 8 and 15 bytes.Key can be 128 or 256 bits.Message is split into 96-bit blocks, each one concatenated with a32 bit counter.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 15 / 22

Page 62: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

CPFB (Counter/Plaintext Feedback) combines CTR y PFB.CTR provides security.PFB gives an authenticator.PFB is little used partly because it can be vulnerable to a chosenplaintext attack. Its combination with CTR prevents this.CTR and PFB allows paralellization on the encryption, but PFBprevents paralellization on decryption.Public message number must be a nonce between 8 and 15 bytes.

Key can be 128 or 256 bits.Message is split into 96-bit blocks, each one concatenated with a32 bit counter.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 15 / 22

Page 63: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

CPFB (Counter/Plaintext Feedback) combines CTR y PFB.CTR provides security.PFB gives an authenticator.PFB is little used partly because it can be vulnerable to a chosenplaintext attack. Its combination with CTR prevents this.CTR and PFB allows paralellization on the encryption, but PFBprevents paralellization on decryption.Public message number must be a nonce between 8 and 15 bytes.Key can be 128 or 256 bits.

Message is split into 96-bit blocks, each one concatenated with a32 bit counter.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 15 / 22

Page 64: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

CPFB (Counter/Plaintext Feedback) combines CTR y PFB.CTR provides security.PFB gives an authenticator.PFB is little used partly because it can be vulnerable to a chosenplaintext attack. Its combination with CTR prevents this.CTR and PFB allows paralellization on the encryption, but PFBprevents paralellization on decryption.Public message number must be a nonce between 8 and 15 bytes.Key can be 128 or 256 bits.Message is split into 96-bit blocks, each one concatenated with a32 bit counter.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 15 / 22

Page 65: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Initially two keys κ0, κ1 are generated from the nonce and key, inmaner similar to Silver, but with a counter added.

κ0 is used as encryption key to process the AD, κ1 to process themessageIf the message is long, it may be necessary to generate more.κ0 is also used as a mask in the message processing, to prevent akey collision attack, and in the process of the tag.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 16 / 22

Page 66: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Initially two keys κ0, κ1 are generated from the nonce and key, inmaner similar to Silver, but with a counter added.κ0 is used as encryption key to process the AD, κ1 to process themessage

If the message is long, it may be necessary to generate more.κ0 is also used as a mask in the message processing, to prevent akey collision attack, and in the process of the tag.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 16 / 22

Page 67: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Initially two keys κ0, κ1 are generated from the nonce and key, inmaner similar to Silver, but with a counter added.κ0 is used as encryption key to process the AD, κ1 to process themessageIf the message is long, it may be necessary to generate more.

κ0 is also used as a mask in the message processing, to prevent akey collision attack, and in the process of the tag.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 16 / 22

Page 68: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Initially two keys κ0, κ1 are generated from the nonce and key, inmaner similar to Silver, but with a counter added.κ0 is used as encryption key to process the AD, κ1 to process themessageIf the message is long, it may be necessary to generate more.κ0 is also used as a mask in the message processing, to prevent akey collision attack, and in the process of the tag.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 16 / 22

Page 69: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Encrypt(M, κ1, κ0)

Split message into 96-bit blocks, with last block incomplete ifnecessary. (no pad)

X ← {0}128

stream← AESκ1(), counter ← 0For i ← 1...n

Ci ← Mi ⊕MSB96(stream)counter ← counter + 1stream← AESκ1

⊕ κ0)

X ← X ⊕ stream

If there is a final partial block M∗n+1 of length r :

C∗n+1 ← M∗n+1 ⊕MSBr (stream)counter ← counter + 1stream← AESκ1((M

∗n+1||{0}96−r || [counter ]32)⊕ κ0)

X ← X ⊕ stream

Return (C,X )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 17 / 22

Page 70: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Encrypt(M, κ1, κ0)

Split message into 96-bit blocks, with last block incomplete ifnecessary. (no pad)

X ← {0}128

stream← AESκ1({0}128), counter ← 0For i ← 1...n

Ci ← Mi ⊕MSB96(stream)counter ← counter + 1stream← AESκ1([counter ]32)

⊕ κ0)X ← X ⊕ stream

If there is a final partial block M∗n+1 of length r :

C∗n+1 ← M∗n+1 ⊕MSBr (stream)counter ← counter + 1stream← AESκ1((M

∗n+1||{0}96−r || [counter ]32)⊕ κ0)

X ← X ⊕ stream

Return (C,X )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 17 / 22

Page 71: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Encrypt(M, κ1, κ0)

Split message into 96-bit blocks, with last block incomplete ifnecessary. (no pad)

X ← {0}128

stream← AESκ1({0}128), counter ← 0For i ← 1...n

Ci ← Mi ⊕MSB96(stream)counter ← counter + 1stream← AESκ1

(

(Mi || [counter ]32)

⊕ κ0)X ← X ⊕ stream

If there is a final partial block M∗n+1 of length r :

C∗n+1 ← M∗n+1 ⊕MSBr (stream)counter ← counter + 1stream← AESκ1((M

∗n+1||{0}96−r || [counter ]32)⊕ κ0)

X ← X ⊕ stream

Return (C,X )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 17 / 22

Page 72: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Encrypt(M, κ1, κ0)

Split message into 96-bit blocks, with last block incomplete ifnecessary. (no pad)X ← {0}128

stream← AESκ1({0}128), counter ← 0For i ← 1...n

Ci ← Mi ⊕MSB96(stream)counter ← counter + 1stream← AESκ1((Mi || [counter ]32)

⊕ κ0)

X ← X ⊕ stream

If there is a final partial block M∗n+1 of length r :

C∗n+1 ← M∗n+1 ⊕MSBr (stream)counter ← counter + 1stream← AESκ1((M

∗n+1||{0}96−r || [counter ]32)⊕ κ0)

X ← X ⊕ stream

Return (C,X )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 17 / 22

Page 73: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Encrypt(M, κ1, κ0)

Split message into 96-bit blocks, with last block incomplete ifnecessary. (no pad)X ← {0}128

stream← AESκ1({0}128), counter ← 0For i ← 1...n

Ci ← Mi ⊕MSB96(stream)counter ← counter + 1stream← AESκ1((Mi || [counter ]32)

⊕ κ0)

X ← X ⊕ stream

If there is a final partial block M∗n+1 of length r :

C∗n+1 ← M∗n+1 ⊕MSBr (stream)counter ← counter + 1stream← AESκ1((M

∗n+1||{0}96−r || [counter ]32)⊕ κ0)

X ← X ⊕ stream

Return (C,X )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 17 / 22

Page 74: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Encrypt(M, κ1, κ0)

Split message into 96-bit blocks, with last block incomplete ifnecessary. (no pad)X ← {0}128

stream← AESκ1(κ0), counter ← 0For i ← 1...n

Ci ← Mi ⊕MSB96(stream)counter ← counter + 1stream← AESκ1((Mi || [counter ]32)⊕ κ0)X ← X ⊕ stream

If there is a final partial block M∗n+1 of length r :

C∗n+1 ← M∗n+1 ⊕MSBr (stream)counter ← counter + 1stream← AESκ1((M

∗n+1||{0}96−r || [counter ]32)⊕ κ0)

X ← X ⊕ stream

Return (C,X )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 17 / 22

Page 75: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Encrypt(M, κ1, κ0)

Split message into 96-bit blocks, with last block incomplete ifnecessary. (no pad)X ← {0}128

stream← AESκ1(κ0), counter ← 0For i ← 1...n

Ci ← Mi ⊕MSB96(stream)counter ← counter + 1stream← AESκ1((Mi || [counter ]32)⊕ κ0)X ← X ⊕ stream

If there is a final partial block M∗n+1 of length r :

C∗n+1 ← M∗n+1 ⊕MSBr (stream)counter ← counter + 1stream← AESκ1((M

∗n+1||{0}96−r || [counter ]32)⊕ κ0)

X ← X ⊕ stream

Return (C,X )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 17 / 22

Page 76: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Encrypt(M, κ1, κ0)

Split message into 96-bit blocks, with last block incomplete ifnecessary. (no pad)X ← {0}128

stream← AESκ1(κ0), counter ← 0For i ← 1...n

Ci ← Mi ⊕MSB96(stream)counter ← counter + 1stream← AESκ1((Mi || [counter ]32)⊕ κ0)X ← X ⊕ stream

If there is a final partial block M∗n+1 of length r :C∗n+1 ← M∗n+1 ⊕MSBr (stream)

counter ← counter + 1stream← AESκ1((M

∗n+1||{0}96−r || [counter ]32)⊕ κ0)

X ← X ⊕ stream

Return (C,X )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 17 / 22

Page 77: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

Encrypt(M, κ1, κ0)

Split message into 96-bit blocks, with last block incomplete ifnecessary. (no pad)X ← {0}128

stream← AESκ1(κ0), counter ← 0For i ← 1...n

Ci ← Mi ⊕MSB96(stream)counter ← counter + 1stream← AESκ1((Mi || [counter ]32)⊕ κ0)X ← X ⊕ stream

If there is a final partial block M∗n+1 of length r :C∗n+1 ← M∗n+1 ⊕MSBr (stream)counter ← counter + 1stream← AESκ1((M

∗n+1||{0}96−r || [counter ]32)⊕ κ0)

X ← X ⊕ stream

Return (C,X )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 17 / 22

Page 78: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

ProcessAD(AD, κ0)

Pad AD with zeroes and split into 96 bit blocks.X ← {0}128, counter ← 0For i ← 1...n

counter ← counter + 1X ← X ⊕ AESκ0(ADi || [counter ]32)

Return X

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 18 / 22

Page 79: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

EncryptAndAuthenticate(AD,M,npub, key)

(κ0, κ1)←GenerateKeys(npub, key)

mlen← |M|/8, adlen← |AD|/8

XAD ← ProcessAD(AD, κ0)

(C,XM)← Encrypt(M, κ1, κ0)

L← AESκ0([mlen]64 || [adlen]32 ||{0}32)

T ← AESκ0(XAD ⊕ XM

Return (C,T )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 19 / 22

Page 80: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

EncryptAndAuthenticate(AD,M,npub, key)

(κ0, κ1)←GenerateKeys(npub, key)

mlen← |M|/8, adlen← |AD|/8

XAD ← ProcessAD(AD, κ0)

(C,XM)← Encrypt(M, κ1, κ0)

L← AESκ0([mlen]64 || [adlen]32 ||{0}32)

T ← AESκ0(XAD ⊕ XM)

Return (C,T )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 19 / 22

Page 81: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

EncryptAndAuthenticate(AD,M,npub, key)

(κ0, κ1)←GenerateKeys(npub, key)mlen← |M|/8, adlen← |AD|/8XAD ← ProcessAD(AD, κ0)

(C,XM)← Encrypt(M, κ1, κ0)

L← AESκ0([mlen]64 || [adlen]32 ||{0}32)

T ← AESκ0(XAD ⊕ XM)

Return (C,T )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 19 / 22

Page 82: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

EncryptAndAuthenticate(AD,M,npub, key)

(κ0, κ1)←GenerateKeys(npub, key)mlen← |M|/8, adlen← |AD|/8XAD ← ProcessAD(AD, κ0)

(C,XM)← Encrypt(M, κ1, κ0)

L← AESκ0([mlen]64 || [adlen]32 ||{0}32)

T ← AESκ0(XAD ⊕ XM)

Return (C,T )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 19 / 22

Page 83: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

EncryptAndAuthenticate(AD,M,npub, key)

(κ0, κ1)←GenerateKeys(npub, key)mlen← |M|/8, adlen← |AD|/8XAD ← ProcessAD(AD, κ0)

(C,XM)← Encrypt(M, κ1, κ0)

L← AESκ0([mlen]64 || [adlen]32 ||{0}32)

T ← AESκ0(XAD ⊕ XM ⊕ L)Return (C,T )

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 19 / 22

Page 84: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

CPFB

EncryptAndAuthenticate(AD,M,npub, key)

(κ0, κ1)←GenerateKeys(npub, key)mlen← |M|/8, adlen← |AD|/8XAD ← ProcessAD(AD, κ0)

(C,XM)← Encrypt(M, κ1, κ0)

L← AESκ0([mlen]64 || [adlen]32 ||{0}32)

T ← AESκ0(XAD ⊕ XM ⊕ L)Return (C,T )

Decryption and verification are the obvious ones.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 19 / 22

Page 85: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Comments

Table of Contents

1 Overview

2 Silver

3 CPFB

4 Comments

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 20 / 22

Page 86: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Comments

Both algorithms came with proofs of security, although thereduction to AES security is tighter for AESCPFB.

Both are reasonably fast.Silver is not only faster than AESGCM, it is in fact competitiveeven with OCB and it appears to be among the group of thefastest CAESAR candidates.They both benefit from whatever improvement in speed, area,energy consumption, etc, to AES.The basic idea is simple in both: combine CTR with PFB in one,change three round keys in the other.In both cases whatever damage is caused by repetition of a nonceis limited to that nonce, i.e., repetition of a nonce X does not affectconfidentiality or authentication of messages used with nonce Y.Silver has some resistance against nonce misuse but we have notbeen able to precisely measure this resistance.As of the moment of this writing there are no attacks againsteither.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 21 / 22

Page 87: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Comments

Both algorithms came with proofs of security, although thereduction to AES security is tighter for AESCPFB.Both are reasonably fast.

Silver is not only faster than AESGCM, it is in fact competitiveeven with OCB and it appears to be among the group of thefastest CAESAR candidates.They both benefit from whatever improvement in speed, area,energy consumption, etc, to AES.The basic idea is simple in both: combine CTR with PFB in one,change three round keys in the other.In both cases whatever damage is caused by repetition of a nonceis limited to that nonce, i.e., repetition of a nonce X does not affectconfidentiality or authentication of messages used with nonce Y.Silver has some resistance against nonce misuse but we have notbeen able to precisely measure this resistance.As of the moment of this writing there are no attacks againsteither.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 21 / 22

Page 88: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Comments

Both algorithms came with proofs of security, although thereduction to AES security is tighter for AESCPFB.Both are reasonably fast.Silver is not only faster than AESGCM, it is in fact competitiveeven with OCB and it appears to be among the group of thefastest CAESAR candidates.

They both benefit from whatever improvement in speed, area,energy consumption, etc, to AES.The basic idea is simple in both: combine CTR with PFB in one,change three round keys in the other.In both cases whatever damage is caused by repetition of a nonceis limited to that nonce, i.e., repetition of a nonce X does not affectconfidentiality or authentication of messages used with nonce Y.Silver has some resistance against nonce misuse but we have notbeen able to precisely measure this resistance.As of the moment of this writing there are no attacks againsteither.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 21 / 22

Page 89: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Comments

Both algorithms came with proofs of security, although thereduction to AES security is tighter for AESCPFB.Both are reasonably fast.Silver is not only faster than AESGCM, it is in fact competitiveeven with OCB and it appears to be among the group of thefastest CAESAR candidates.They both benefit from whatever improvement in speed, area,energy consumption, etc, to AES.

The basic idea is simple in both: combine CTR with PFB in one,change three round keys in the other.In both cases whatever damage is caused by repetition of a nonceis limited to that nonce, i.e., repetition of a nonce X does not affectconfidentiality or authentication of messages used with nonce Y.Silver has some resistance against nonce misuse but we have notbeen able to precisely measure this resistance.As of the moment of this writing there are no attacks againsteither.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 21 / 22

Page 90: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Comments

Both algorithms came with proofs of security, although thereduction to AES security is tighter for AESCPFB.Both are reasonably fast.Silver is not only faster than AESGCM, it is in fact competitiveeven with OCB and it appears to be among the group of thefastest CAESAR candidates.They both benefit from whatever improvement in speed, area,energy consumption, etc, to AES.The basic idea is simple in both: combine CTR with PFB in one,change three round keys in the other.

In both cases whatever damage is caused by repetition of a nonceis limited to that nonce, i.e., repetition of a nonce X does not affectconfidentiality or authentication of messages used with nonce Y.Silver has some resistance against nonce misuse but we have notbeen able to precisely measure this resistance.As of the moment of this writing there are no attacks againsteither.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 21 / 22

Page 91: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Comments

Both algorithms came with proofs of security, although thereduction to AES security is tighter for AESCPFB.Both are reasonably fast.Silver is not only faster than AESGCM, it is in fact competitiveeven with OCB and it appears to be among the group of thefastest CAESAR candidates.They both benefit from whatever improvement in speed, area,energy consumption, etc, to AES.The basic idea is simple in both: combine CTR with PFB in one,change three round keys in the other.In both cases whatever damage is caused by repetition of a nonceis limited to that nonce, i.e., repetition of a nonce X does not affectconfidentiality or authentication of messages used with nonce Y.

Silver has some resistance against nonce misuse but we have notbeen able to precisely measure this resistance.As of the moment of this writing there are no attacks againsteither.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 21 / 22

Page 92: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Comments

Both algorithms came with proofs of security, although thereduction to AES security is tighter for AESCPFB.Both are reasonably fast.Silver is not only faster than AESGCM, it is in fact competitiveeven with OCB and it appears to be among the group of thefastest CAESAR candidates.They both benefit from whatever improvement in speed, area,energy consumption, etc, to AES.The basic idea is simple in both: combine CTR with PFB in one,change three round keys in the other.In both cases whatever damage is caused by repetition of a nonceis limited to that nonce, i.e., repetition of a nonce X does not affectconfidentiality or authentication of messages used with nonce Y.Silver has some resistance against nonce misuse but we have notbeen able to precisely measure this resistance.

As of the moment of this writing there are no attacks againsteither.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 21 / 22

Page 93: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Comments

Both algorithms came with proofs of security, although thereduction to AES security is tighter for AESCPFB.Both are reasonably fast.Silver is not only faster than AESGCM, it is in fact competitiveeven with OCB and it appears to be among the group of thefastest CAESAR candidates.They both benefit from whatever improvement in speed, area,energy consumption, etc, to AES.The basic idea is simple in both: combine CTR with PFB in one,change three round keys in the other.In both cases whatever damage is caused by repetition of a nonceis limited to that nonce, i.e., repetition of a nonce X does not affectconfidentiality or authentication of messages used with nonce Y.Silver has some resistance against nonce misuse but we have notbeen able to precisely measure this resistance.As of the moment of this writing there are no attacks againsteither.

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 21 / 22

Page 94: Silver and AESCPFB - DIAC 2014: Introduction2014.diac.cr.yp.to/slides/penazzi-silver-cpfb.pdf · Overview Table of Contents 1 Overview 2 Silver 3 CPFB 4 Comments Miguel Montes, Daniel

Comments

Thanks! Gracias! Merci!

Kiitos! Danke!

Miguel Montes, Daniel Penazzi ( Instituto Universitario Aeronáutico, Córdoba, Argentina, Universidad Nacional de Córdoba, Facultad de Matemática, Astronomía y Física, Córdoba, Argentina)Silver and AESCPFB DIAC14 22 / 22