首页 > 其他分享 >52 Things: Number 27: What is the AEAD security definition for symmetric key encryption?

52 Things: Number 27: What is the AEAD security definition for symmetric key encryption?

时间:2024-04-12 21:34:11浏览次数:27  
标签:definition What 27 加密 encryption 52 MAC IND message

52 Things: Number 27: What is the AEAD security definition for symmetric key encryption?

52件事:27号:对称密钥加密的AEAD安全定义是什么?

  This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. This post will kick off the 'Security Definitions and Proofs' section with a brief overview of Authenticated Encryption.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的52件事”做密码学:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。这篇文章将在“安全定义和证明”部分开始,简要介绍身份验证加密。


In a recent post Luke described a number of well-used modes of operation (ECB, CBC and CTR) for blockciphers, modes that provide privacy (confidentiality) only. We may also want integrity from our encryption mechanism, meaning that the recipient is assured that the message it receives is the one sent without accidental changes or intentional tampering, and authenticity meaning that the receiver is convinced of the origin of the message. To get these additional goals we often use a message authentication code (MAC), and the most widely used are those based on blockciphers and those based on hash functions (HMAC). Putting these two primitives together is non-trivial: to get an IND-CCA secure scheme we need to follow the 'Encrypt-then-MAC' paradigm with a secure encryption scheme and a strongly unforgeable MAC, meaning computing the MAC on the ciphertext (see here and here for more info on Encrypt-and-MAC and MAC-then-Encrypt, with a focus on why one should avoid them). The 'AD' refers to variable-length associated data such as packet headers, and we normally expect authenticity and integrity but not confidentiality from this optional component. For further reading and examples, see Adam Langley's blog on the topic.
在最近的一篇文章中,Luke描述了许多用于块密码的常用操作模式(ECB、CBC和CTR),这些模式仅提供隐私(机密性)。我们可能还希望我们的加密机制具有完整性,这意味着接收方可以确保其收到的消息是在没有意外更改或故意篡改的情况下发送的,而真实性意味着接收方确信消息的来源。为了实现这些额外的目标,我们经常使用消息身份验证码(MAC),最广泛使用的是基于块密码的和基于哈希函数的。将这两个基元放在一起是不平凡的:为了获得IND-CCA安全方案,我们需要遵循“先加密后MAC”的范式,使用安全加密方案和强不可伪造的MAC,这意味着在密文上计算MAC(有关加密和MAC以及MAC然后加密的更多信息,请参阅此处和此处,重点是为什么应该避免它们)。“AD”指的是可变长度的相关数据,如数据包标头,我们通常期望此可选组件的真实性和完整性,但不期望机密性。欲了解更多阅读和示例,请参阅Adam Langley关于该主题的博客。

Next week's blog post will see an in-depth overview of IND-CCA2 security in the context of public-key encryption. The 'real-or-random' definition of IND-CCA2 (and IND-CCA1) gives the adversary access to an encryption oracle, which has an encryption key hardwired and on input message m returns either a 'real' encryption Ek(m) or 'fake' Ek($|m|), and a decryption oracle that given a ciphertext c will return Dk(c) - the adversary is then asked to distinguish which world he is in. In 2004 Shrimpton showed that a new notion dubbed IND-CCA3, where the decryption oracle in the 'fake' world is replaced by an oracle that always returns the invalid symbol ⊥, is equivalent to the previously considered notion of AE, where the notions of privacy and authenticity/integrity are looked at separately. This observation was incorporated into Rogaway and Shrimpton's paper on the keywrap problem and Deterministic Authenticated Encryption. For more information on the impact of associated data, see here and here.
下周的博客文章将深入介绍公钥加密背景下的IND-CCA2安全性。IND-CCA2(和IND-CCA1)的“真实或随机”定义使对手能够访问加密预言机,该预言机具有硬连接的加密密钥,在输入消息 m 上返回“真实”加密 Ek(m) 或“伪造”#2,而解密预言机给定密文#3将返回#4-然后要求对手区分他所处的世界。2004年,Shrinpton展示了一种被称为IND-CCA3的新概念,其中“伪造”世界中的解密预言机被总是返回无效符号 ⊥ 的预言机取代,这与之前考虑的AE概念相当,其中隐私和真实性的概念/完整性是分开看待的。这一观察结果被纳入了Rogaway和Shrinpton关于密钥封装问题和确定性身份验证加密的论文中。有关关联数据影响的更多信息,请参阅此处和此处。

In practice, a large proportion of traffic uses CCM mode, which is a combination of a blockcipher in counter mode with CBC-MAC with the MAC-then-Encrypt approach, and GCM which uses Encrypt-then-MAC with a blockcipher in counter mode and a polynomial-based hash function called GHASH. CCM is comparatively inefficient as it requires two blockcipher calls per message block and is not online (message length needs to be known before processing can occur), and as this paper by Saarinen shows, GCM has some weak keys.
在实践中,很大一部分流量使用CCM模式,这是计数器模式下的块密码与CBC-MAC和MAC然后加密方法的组合,以及GCM,它使用加密然后MAC和计数器模式下块密码以及称为GHASH的基于多项式的哈希函数。CCM的效率相对较低,因为它每个消息块需要两个块密码调用,并且不在线(在进行处理之前需要知道消息长度),正如Saarinen的这篇论文所示,GCM有一些弱密钥。

The CAESAR competition is currently in progress, with the aim of selecting a portfolio of authenticated ciphers for recommendation based on thorough academic public scrutiny. One of the main aims is to get more researchers thinking about such a vital topic, and the large number (and varied nature) of first round submissions indicates this goal has already been achieved. The second round candidates are expected to be announced next week, and an overview of the submissions can be found at the AE Zoo which is run by a number of researchers from DTU.
CAESAR竞赛目前正在进行中,目的是根据彻底的学术公众审查,选择一组经过验证的密码进行推荐。其中一个主要目标是让更多的研究人员思考这样一个重要的主题,而第一轮提交的大量(性质多样)表明这一目标已经实现。第二轮候选人预计将于下周公布,提交材料的概述可以在AE动物园找到,该动物园由DTU的一些研究人员运营。

标签:definition,What,27,加密,encryption,52,MAC,IND,message
From: https://www.cnblogs.com/3cH0-Nu1L/p/18107475

相关文章

  • 52 Things: Number 28: What is the IND-CCA security definition for public key enc
    52Things:Number28:WhatistheIND-CCAsecuritydefinitionforpublickeyencryption?52件事:第28件:公钥加密的IND-CCA安全定义是什么? Thisisthelatestinaseriesofblogpoststoaddressthelistof'52ThingsEveryPhDStudentShouldKnow'todoCryptog......
  • 52 Things: Number 29: What is the UF-CMA security definition for digital signatu
    52Things:Number29:WhatistheUF-CMAsecuritydefinitionfordigitalsignatures?52件事:第29件:数字签名的UF-CMA安全定义是什么? Thisisthelatestinaseriesofblogpoststoaddressthelistof'52ThingsEveryPhDStudentShouldKnowToDoCryptography'......
  • PAN3029与SX1276接收灵敏度的测试对比
       2023年9月磐启微第二代ChirpIoT™系列芯片PAN3029发布至今已有半年了,不少企业都拿到了PAN3029的测试板。但由于缺乏充分的仪器,或测试方法问题无法准确的获得芯片在不同扩频因子下的灵敏度。因此由行业专家甘泉老师操刀测试PAN3029这款芯片性能后并录制成视频,供行业的企业......
  • 27.C语言顺序循环结构结构练习题整理
    参考:https://www.qingsuyun.com/lib/d/600120380038000300010041/6、【单选题】语句while(!e);中的条件!e等价于()。[2分] ***AA、e==0B、e!=1C、e!=0D、~e9、【单选题】以下叙述正确的是()。[2分] ****BA、continue语句的作用是结束整个循环的执行......
  • 52 Things: Number 14: What is a cryptographic pairing?
    52Things:Number14:Whatisacryptographicpairing?52件事:第14条:什么是密码配对? Thisisthelatestinaseriesofblogpoststoaddressthelistof '52ThingsEveryPhDStudentShouldKnow'todoCryptography:asetofquestionscompiledtogivePhD......
  • 27、座位表
    1、全选文字2、点击表格—【文本转为表格】—【点击确定】  【表格】—【表格选项】—【运行调整单元格间距】最后设置文字居中对齐就可以了  ......
  • 52 Things: Number 2: What is the difference between a multi-core processor and a
    52Things:Number2:Whatisthedifferencebetweenamulti-coreprocessorandavectorprocessor?52件事:数字2:多核处理器和矢量处理器有什么区别?Onthefaceofit,youmaybeconfusedastowhatthedifferenceisbetweenthesetwoprocessors.Afterall,yo......
  • 52 Things: Number 5: What is meant by the complexity class NP?
    Thisisthelatestinaseriesofblogpoststoaddressthelistof '52ThingsEveryPhDStudentShouldKnow' todoCryptography:asetofquestionscompiledtogivePhDcandidatesasenseofwhattheyshouldknowbytheendoftheirfirstyear.......
  • 52 Things: Number 8: How does interaction help in computation, and what is the c
    52Things:Number8:Howdoesinteractionhelpincomputation,andwhatistheclassIP?52件事:数字8:交互如何帮助计算,什么是类IP? Thisisthelatestinaseriesofblogpoststoaddressthelistof'52ThingsEveryPhDStudentShouldKnowToDoCryptogr......
  • 52 Things: Number 7: How does randomness help in computation, and what is the cl
    52Things:Number7:Howdoesrandomnesshelpincomputation,andwhatistheclassBPP?52件事:数字7:随机性如何帮助计算,BPP类是什么?Thisisthelatestinaseriesofblogpoststoaddressthelistof'52ThingsEveryPhDStudentShouldKnowToDoCryptogr......