52 Things: Number 27: What is the AEAD security definition for symmetric key encryption?
52件事:27号:对称密钥加密的AEAD安全定义是什么?
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. This post will kick off the 'Security Definitions and Proofs' section with a brief overview of Authenticated Encryption.这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的52件事”做密码学:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。这篇文章将在“安全定义和证明”部分开始,简要介绍身份验证加密。
In a recent post Luke described a number of well-used modes of operation (ECB, CBC and CTR) for blockciphers, modes that provide privacy (confidentiality) only. We may also want integrity from our encryption mechanism, meaning that the recipient is assured that the message it receives is the one sent without accidental changes or intentional tampering, and authenticity meaning that the receiver is convinced of the origin of the message. To get these additional goals we often use a message authentication code (MAC), and the most widely used are those based on blockciphers and those based on hash functions (HMAC). Putting these two primitives together is non-trivial: to get an IND-CCA secure scheme we need to follow the 'Encrypt-then-MAC' paradigm with a secure encryption scheme and a strongly unforgeable MAC, meaning computing the MAC on the ciphertext (see here and here for more info on Encrypt-and-MAC and MAC-then-Encrypt, with a focus on why one should avoid them). The 'AD' refers to variable-length associated data such as packet headers, and we normally expect authenticity and integrity but not confidentiality from this optional component. For further reading and examples, see Adam Langley's blog on the topic.
在最近的一篇文章中,Luke描述了许多用于块密码的常用操作模式(ECB、CBC和CTR),这些模式仅提供隐私(机密性)。我们可能还希望我们的加密机制具有完整性,这意味着接收方可以确保其收到的消息是在没有意外更改或故意篡改的情况下发送的,而真实性意味着接收方确信消息的来源。为了实现这些额外的目标,我们经常使用消息身份验证码(MAC),最广泛使用的是基于块密码的和基于哈希函数的。将这两个基元放在一起是不平凡的:为了获得IND-CCA安全方案,我们需要遵循“先加密后MAC”的范式,使用安全加密方案和强不可伪造的MAC,这意味着在密文上计算MAC(有关加密和MAC以及MAC然后加密的更多信息,请参阅此处和此处,重点是为什么应该避免它们)。“AD”指的是可变长度的相关数据,如数据包标头,我们通常期望此可选组件的真实性和完整性,但不期望机密性。欲了解更多阅读和示例,请参阅Adam Langley关于该主题的博客。
Next week's blog post will see an in-depth overview of IND-CCA2 security in the context of public-key encryption. The 'real-or-random' definition of IND-CCA2 (and IND-CCA1) gives the adversary access to an encryption oracle, which has an encryption key hardwired and on input message m returns either a 'real' encryption Ek(m) or 'fake' Ek($|m|), and a decryption oracle that given a ciphertext c will return Dk(c) - the adversary is then asked to distinguish which world he is in. In 2004 Shrimpton showed that a new notion dubbed IND-CCA3, where the decryption oracle in the 'fake' world is replaced by an oracle that always returns the invalid symbol ⊥, is equivalent to the previously considered notion of AE, where the notions of privacy and authenticity/integrity are looked at separately. This observation was incorporated into Rogaway and Shrimpton's paper on the keywrap problem and Deterministic Authenticated Encryption. For more information on the impact of associated data, see here and here.
下周的博客文章将深入介绍公钥加密背景下的IND-CCA2安全性。IND-CCA2(和IND-CCA1)的“真实或随机”定义使对手能够访问加密预言机,该预言机具有硬连接的加密密钥,在输入消息 m 上返回“真实”加密 Ek(m) 或“伪造”#2,而解密预言机给定密文#3将返回#4-然后要求对手区分他所处的世界。2004年,Shrinpton展示了一种被称为IND-CCA3的新概念,其中“伪造”世界中的解密预言机被总是返回无效符号 ⊥ 的预言机取代,这与之前考虑的AE概念相当,其中隐私和真实性的概念/完整性是分开看待的。这一观察结果被纳入了Rogaway和Shrinpton关于密钥封装问题和确定性身份验证加密的论文中。有关关联数据影响的更多信息,请参阅此处和此处。
In practice, a large proportion of traffic uses CCM mode, which is a combination of a blockcipher in counter mode with CBC-MAC with the MAC-then-Encrypt approach, and GCM which uses Encrypt-then-MAC with a blockcipher in counter mode and a polynomial-based hash function called GHASH. CCM is comparatively inefficient as it requires two blockcipher calls per message block and is not online (message length needs to be known before processing can occur), and as this paper by Saarinen shows, GCM has some weak keys.
在实践中,很大一部分流量使用CCM模式,这是计数器模式下的块密码与CBC-MAC和MAC然后加密方法的组合,以及GCM,它使用加密然后MAC和计数器模式下块密码以及称为GHASH的基于多项式的哈希函数。CCM的效率相对较低,因为它每个消息块需要两个块密码调用,并且不在线(在进行处理之前需要知道消息长度),正如Saarinen的这篇论文所示,GCM有一些弱密钥。
The CAESAR competition is currently in progress, with the aim of selecting a portfolio of authenticated ciphers for recommendation based on thorough academic public scrutiny. One of the main aims is to get more researchers thinking about such a vital topic, and the large number (and varied nature) of first round submissions indicates this goal has already been achieved. The second round candidates are expected to be announced next week, and an overview of the submissions can be found at the AE Zoo which is run by a number of researchers from DTU.
CAESAR竞赛目前正在进行中,目的是根据彻底的学术公众审查,选择一组经过验证的密码进行推荐。其中一个主要目标是让更多的研究人员思考这样一个重要的主题,而第一轮提交的大量(性质多样)表明这一目标已经实现。第二轮候选人预计将于下周公布,提交材料的概述可以在AE动物园找到,该动物园由DTU的一些研究人员运营。 标签:definition,What,27,加密,encryption,52,MAC,IND,message From: https://www.cnblogs.com/3cH0-Nu1L/p/18107475