AEAD

-

 



 

 

 

What is AEAD

AEAD or Authenticated Encryption with Associated Data provides confidentiality and authentication (AE(Authenticated Encryption)) and also the ability to check the integrity and authentication of some Associated Data(AD). AD also known as “Additional Authenticated Data(AAD)”[1]. Basically AEAD combines encryption and authentication into a combined scheme. Generally AEAD provides authentication and encryption for plain text while it only provide authentication to the associated data(not encrypted).It can visualize like below(The main idea behind AEAD),

    

 


                   Figure 01 : Explain AEAD with network packet ( So by this Figure 01 we can see,    Authenticated encryption with associated data(here Headers are the Associated Data))          

     Common AEAD implementing modes can be given as below,

*      CCM

*      GCM

*      OCB

     Significance of AEAD when compared to traditional approaches  

          Basically, AEAD uses Authentication Encryption and it is a combination of traditional encryption and independent MAC. So AE provides confidentiality and data authenticity simultaneously. Also this AE approach is more complicated than authenticity-only(MAC)  approach or confidentiality-only(traditional encryption) approaches. Also AE is more easier to use and only need one key. When looking at the separate using of encryption and MAC there are some problems occur,

*      Traditional encryption uses a key and MAC also uses a key, if those are use same key , it may occur unwanted weaknesses

*      Traditional encryption uses an IV(Initialization Vector) and MAC also may uses an IV for it. So again ,if those 2 approaches use same keys ,there may occur weaknesses

*      Also MAC may theoretically leaks some information about the process data[2]

     But with the use of Authenticated Encryption , those problems can be solved.

    

 

     What is GCM mode and how it works

     This mode is used for authenticated encryption with associated data and it uses an initialization vector(IV has arbitrary length but optimized for 96 bits) for it’s processing. GCM uses the block cipher AES and this mode of operation is similar to the CTR.GCM uses 128,192 or 256 key sizes according to AES ,an the block size of 128 bits. Also GCM restricts the length of the IV less than or equal to 264-1 in multiple of 8 and the size of the additional data restricts to less than or equal to 264-1 [4].

     How GCM works

     Authenticated encryption algorithm of GCM can be given as below,

  • Inputs of this algorithm: Initialization vector(IV), Plaintext (P), Additional authenticated data (A) 
  • Outputs of this algorithm : Ciphertext (C), Authentication tag (T)

 


                                          Figure 02 : Illustration of GCM algorithm working[5]

Working steps of GCM algorithm can be given as below(according to steps numbering showing in Figure 02),

  1. As the 1st step, the hash subkey is generating by applying the block cipher to the “zero” block(this is for the GHASH function).It can be denoted as H=CIPHk(0128)

      2.  With the use of IV, counter block is generated as 2nd step. Here, if the length of IV is 96 bits, then         the padding string 0311 is appended to the IV to form the counter block. On the other hand ,the IV         is padded with the minimum number of ‘0’ bits. Also here ,the length of the resulting string is a             multiple of the block size and the GHASH function is applied to this string to form the counter             block 

    3.      As 3rd step , generated counter block in the 2nd step is applied by the incrementing function to             produce the initial counter block for an invocation of the GCTR function on the plaintext(Also             here,    the output of this GCTR function is the ciphertext) 

    4.      As the 4 and 5th steps, the AAD and the ciphertext are each of the appended with the minimum             number of ‘0’ bits. As mention in above 2nd step, the bit length of the resulting strings are                     multiples of the block size 

    6. There is a single output in 4 and 5 steps, So that output block is encrypted using the GCTR                     function with the counter block that was generated in the 2nd step. Then the result is truncated to             the specified tag length to form the authentication tag

7.             7. As the 7th and last step, the ciphertext and the tag are returned as the output


GHASH function that use 


                                                           Figure 03 : Illustration of GHASH function[5]


This GHASH function returning output can be given as below,

 

GCTR function that use


                                             Figure 04 : GCTR function[5]


What is OCB mode and how it works

OCB also a AEAD mode that simultaneously provide both privacy and authenticity for user supplied plaintext and it depends on block-cipher. It achieves authenticated encryption in almost the same amount of time as the fastest conventional mode. OCB is fully parallelizable(this is the reason for this mode has better performance than traditional methods) and also adds minor overhead compared to conventional modes. Also OCB works for message with any size of bits length and it uses a single block-cipher key and it employs an arbitrary nonce. Also the encryption structure for OCB is similar to ECB mode. And each block of OCB mode is encrypted independently of the other block. So by that ,it can be achieved the parallel processing of the blocks.[6]

     How OCB works

            Below show the working process of OCB mode encryption algorithm,

                        Figure 05 : OCB encryption algorithm illustration[7]

Below describes the steps that happen in this algorithm(consider the description numbering according to the above Figure 05 numbering)


 1. As the 1st  step, the message(size of M bits) that want to encrypt is divided into m number of bits         that  each size n-bits length, where  ,

 So M can be written as,

 And each block process parallelly

2.      2. At 2nd step, the divided block message M[i] is XOR with Z[i] ,where Z[i] can be derived as below,

 


            (and here ntz(i) represents the no.of trailing zero bits)

  3. As the 3rd step, above 2nd step’s XOR output pass through encryption algorithm Ek which is similar to all other parallel processes XOR outputs.

4.      4. The output of the 3rd step is again XOR with Z[i] which similar to 2nd step’s Z[i].Then it can be generated the C[i] which is the cipher text.


5.      5. When the M bits size message divided into m number of blocks, there may not be the last block same     size as n-bits. So the last block consider as below,


6.      6. The checksum defer as below,

Here C[m]0* means , ciphertext “C[m]” s’ right padded with zero bits.

 7.   As the final step, checksum is XOR with Z[m] and then that output passes through Ek .Then from that output the first t length bits take as the length of the tag.[7]

 

 

Comparison of CCM,GCM and OCB modes


            Table 01 : Comparison of CCM,GCM and OCB modes[8]

Feature

CCM

GCM

OCB

Ciphertext expansion(this is an important feature for a short messages where can even overcome an original message length)

16k, k∊{2,…,8}

t

t

Keying material

1 key

1 key

1 key

Parallelizability(this is an important factor for high-speed environments)

Only the Encryption process

Encryption and Authentication processes

Encryption and Authentication processes

Is AEAD implementing mode?

yes

yes

no

Authenticator length

16k,k∊{2,…,8}

0…n

0…n

Incremental MAC

no

yes

no

Online message processing

no

yes

yes

Ending dependent

yes

yes

no

 

Present state of usage of the different modes

CCM

When considering CCM, it was developed as a less-efficient but IP-free alternative to OCB. And this CCM mode is non-patented, non-parallelizable and provable secure mode with small memory requirements with AEAD feature. Also the design of this mode is flexible and targeted to the underlying ciphers with 128-bit block length.

Applications : IEEE 802.11i(as CCMP,an encryption algorithm for WPA2), IPsec , TLS 1.2, Bluetooth low energy

GCM

The initial purpose of this GCM mode was to having a parallelizable, hardware-efficient and patent-free AEAD scheme. Here being parallelizable meaning that, it’s useful for high-speed hardware-based applications.

Applications  : IEEE 802.1AE(MACsec),Ethernet security,IEEE 802.11ad,ANSI Fiber channel security     protocols,IEEE P1619,IETF IPsec standards,TLS 1.2,TLS 1.3

OCB

This OCB mode is patented ,fully parallelizable, provable secure, flexible and very efficient mode with small memory requirements without AEAD feature.

Applications : IEEE 802.11 wireless security standard

As a conclusion , except for “patent issues” ,OCB mode seems to be most universal candidate for most situations. And except environments with critically limited memory ,non patented GCM offer comparable performance characteristics like OCB and saves space needed for decryption engine. In powerful and highly parallelizable environments , GCM and OCB modes are suitable. For restricted environments with low memory and serial execution like present smartcards, OCB mode was selected as most suitable.


References

[1]   David Ireland, w., 2021. Authenticated Encryption with Additional Data (AEAD). [online] Cryptosys.net. Available at: <https://www.cryptosys.net/manapi/api_aeadalgorithms.html> [Accessed 2 May 2021]

[2]   MAC?, W. and Pornin, T., 2021. Why choose an authenticated encryption mode instead of a separate MAC?. [online] Cryptography Stack Exchange. Available at: <https://crypto.stackexchange.com/questions/923/why-choose-an-authenticated-encryption-mode-instead-of-a-separate-mac?rq=1> [Accessed 2 May 2021]

[3]   Slideshare.net. 2021. Authenticated Encryption Gcm Ccm. [online] Available at: <https://www.slideshare.net/ProjectSymphony/authenticated-encryption-gcm-ccm> [Accessed 3 May 2021]

[4]   Cryptopp.com. 2021. GCM Mode - Crypto++ Wiki. [online] Available at: <https://www.cryptopp.com/wiki/GCM_Mode> [Accessed 3 May 2021]

[5]   Google.com. 2021. [online] Available at: <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwj17rjVhrLwAhVQwzgGHVO_DwUQFjAAegQIAxAD&url=https%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FLegacy%2FSP%2Fnistspecialpublication800-38d.pdf&usg=AOvVaw0fa7M9bumFzCdBcGgkYXYK> [Accessed 4 May 2021].

[6]   Web.cs.ucdavis.edu. 2021. OCB - An Authenticated-Encryption Scheme - Background - Rogaway. [online] Available at: <https://web.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm> [Accessed 5 May 2021].

[7]   Google.com. 2021. [online] Available at: <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjphJXp_7LwAhVTcCsKHWMpBogQFjAAegQIAxAD&url=https%3A%2F%2Fweb.cs.ucdavis.edu%2F~rogaway%2Fpapers%2Focb-full.pdf&usg=AOvVaw34OgbEvOwVpznZpQd727y4> [Accessed 4 May 2021].

[8]   Svenda, P., 2021. Basic comparison of Modes for Authenticated-Encryption ( IAPM , XCBC , OCB , CCM , EAX , CWC , GCM , PCFB , CS ). [online] Semanticscholar.org. Available at: <https://www.semanticscholar.org/paper/Basic-comparison-of-Modes-for-(-IAPM-%2C-XCBC-%2C-OCB-%2C-Svenda/e561a7277ab2de916b27258ab27af94914b976d1> [Accessed 5 May 2021].

[9]   Web.cs.ucdavis.edu. 2021. OCB - An Authenticated-Encryption Scheme - Background - Rogaway. [online] Available at: <https://web.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm#performance> [Accessed 5 May 2021].

Comments

Post a Comment

Popular posts from this blog

Data Mining(Nursey data set)

-
Image
    1.       Selecting an appropriate data set   Description about the data set Nursery data set was taken from UCI Machine Learning Repository. Nursery database was derived from a hierarchical decision model originally developed to rand applications for nursery schools and it was used during several years in 1980’s when there was excessive enrollment to these schools in Ljubljana, Slovenia and the rejected applications frequently needed an objective explanation. Here the final decision depended on 3 subproblems that are occupation of parents and child’s nursery, family structure and financial standing and social and health picture of the family. This Nursery dataset is a multivariate dataset with categorical data type values(except 1 attribute). And it consists with 8 attributes and 12960 instances. Below shows the table with attributes information, (UCI Machine Learning Repository: Nursery Data Set, 2021)                                       Table 01 : Attribute informa
Read more

How to create custom page borders in WORD

-
Image
      By using following steps , you can make a custom bordered template easily.And this will work on MS word 2013,2016 and 2019 versions. In here I demonstrate a , 15mm all bordered template.   1. STEP 01 : Open MS WORD and select " blank document "        2. STEP 02: Select the " file " tab.   3. STEP 03: Select " Account " .   4. STEP 04: Select " Advanced " in the pop-up window(word options).     5. STEP 05: Select  the units of measurement that you want in the drop down menu (here I use    millimeters). And press " ok " after select.   6. STEP 06: Select " Layout " tab.   7. STEP 07: First select " Margins " and then Select " Custom margins ".   8. STEP 08: Set your margin size as you wish (In here, I make all sides 15mm bordered template.So I set all margins as 15) .After set the margins press " ok " .     9. STEP 09: First select " Design " tab and then select " page border
Read more

UML Class Diagram For Hospital

-
Image
The description for the UML class diagram as follows, Ward is a division of a hospital or a suite of rooms shared by patients who need a similar kind of care. In a hospital, there are several wards, each of which may be empty or have on it one or more patients. Each ward has a unique name. Wards are also differentiated by gender of its patients, i.e., male wards and female wards. A ward can only have patients of a particular gender admitted to it. Every ward has a fixed capacity, which is the maximum number of patients that can be on it at one time (i.e., the capacity is the 50). Different wards may have different capacities. The doctors in the hospital are organized into teams. Each team has a unique name or code (e.g., Orthopedics or Pediatrics) and is headed by a consultant doctor. The consultant doctor is the senior doctor who has completed all of his or her specialist training, residency, and practices medicine in a clinic or hospital, in the specialty learned during residency. Sh
Read more