{"title":"COLM 验证加密方案","authors":"","doi":"10.1007/s00145-024-09492-8","DOIUrl":null,"url":null,"abstract":"<h3>Abstract</h3> <p>In this work we present the COLM authenticated encryption (AE) scheme which is the second of the two winners in the <em>defense in depth</em> category of the CAESAR competition. COLM realizes a nonce-based authenticated encryption with associated data and uses the popular AES blockcipher as its underlying primitive. We propose two possible blockcipher instantiations (with key of length 128 or 256 bits). We also define two COLM modes of operation variants: a primary COLM<span> <span>\\(_0\\)</span> </span> mode for general purpose applications, and a COLM<span> <span>\\(_{\\tau }\\)</span> </span> variant with intermediate tag generation/verification geared to support low-end devices and applications where frequent verification is required. COLM is designed with security, simplicity, and efficiency in mind. The main design goal of COLM is <em>high security</em>: a primary feature of the defense in depth CAESAR category. COLM provides security beyond the traditional AE security. First, COLM is <em>secure against nonce misuse</em>, namely, it enables security in adversarial settings where the nonce inputs to the AE scheme repeat. In contrast to standardized and popular AE algorithms, such as GCM and OCB1-3 modes, whose AE security trivially breaks down when the nonce is repeated, COLM ensures both confidentiality and authenticity (AE) security with repeated nonces. Second, our COLM<span> <span>\\(_{\\tau }\\)</span> </span> variant enables increased security levels in situations where <em>release of unverified ciphertext</em> (RUP) occurs due to its ability to limit a potential leakage by frequent verifications. In this work we prove COLM secure with respect to both confidentiality and authenticity (AE) security under nonce misuse in the well-known provable security framework. Our proofs show that COLM maintains <em>n</em>/2-bit security levels for block sizes of <em>n</em> bits. Furthermore, due to the inherent parallelism on both mode and primitive levels, our software performance results show that the price paid for enhanced security does come at the cost of minimal efficiency losses. More concretely, we implement GCM, COLM, and Deoxys-II on the Kaby Lake and Coffee lake Intel platforms. Compared to the other winner in the defense in depth category Deoxys-II, our AE design COLM<span> <span>\\(_0\\)</span> </span> performs 10–20% faster for the 128-bit key version. Regarding the 256-bit key versions COLM<span> <span>\\(_0\\)</span> </span> is around 5% faster for short and 2% slower than Deoxys-II for the longer messages.</p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"88 1","pages":""},"PeriodicalIF":2.3000,"publicationDate":"2024-03-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"The COLM Authenticated Encryption Scheme\",\"authors\":\"\",\"doi\":\"10.1007/s00145-024-09492-8\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<h3>Abstract</h3> <p>In this work we present the COLM authenticated encryption (AE) scheme which is the second of the two winners in the <em>defense in depth</em> category of the CAESAR competition. COLM realizes a nonce-based authenticated encryption with associated data and uses the popular AES blockcipher as its underlying primitive. We propose two possible blockcipher instantiations (with key of length 128 or 256 bits). We also define two COLM modes of operation variants: a primary COLM<span> <span>\\\\(_0\\\\)</span> </span> mode for general purpose applications, and a COLM<span> <span>\\\\(_{\\\\tau }\\\\)</span> </span> variant with intermediate tag generation/verification geared to support low-end devices and applications where frequent verification is required. COLM is designed with security, simplicity, and efficiency in mind. The main design goal of COLM is <em>high security</em>: a primary feature of the defense in depth CAESAR category. COLM provides security beyond the traditional AE security. First, COLM is <em>secure against nonce misuse</em>, namely, it enables security in adversarial settings where the nonce inputs to the AE scheme repeat. In contrast to standardized and popular AE algorithms, such as GCM and OCB1-3 modes, whose AE security trivially breaks down when the nonce is repeated, COLM ensures both confidentiality and authenticity (AE) security with repeated nonces. Second, our COLM<span> <span>\\\\(_{\\\\tau }\\\\)</span> </span> variant enables increased security levels in situations where <em>release of unverified ciphertext</em> (RUP) occurs due to its ability to limit a potential leakage by frequent verifications. In this work we prove COLM secure with respect to both confidentiality and authenticity (AE) security under nonce misuse in the well-known provable security framework. Our proofs show that COLM maintains <em>n</em>/2-bit security levels for block sizes of <em>n</em> bits. Furthermore, due to the inherent parallelism on both mode and primitive levels, our software performance results show that the price paid for enhanced security does come at the cost of minimal efficiency losses. More concretely, we implement GCM, COLM, and Deoxys-II on the Kaby Lake and Coffee lake Intel platforms. Compared to the other winner in the defense in depth category Deoxys-II, our AE design COLM<span> <span>\\\\(_0\\\\)</span> </span> performs 10–20% faster for the 128-bit key version. Regarding the 256-bit key versions COLM<span> <span>\\\\(_0\\\\)</span> </span> is around 5% faster for short and 2% slower than Deoxys-II for the longer messages.</p>\",\"PeriodicalId\":54849,\"journal\":{\"name\":\"Journal of Cryptology\",\"volume\":\"88 1\",\"pages\":\"\"},\"PeriodicalIF\":2.3000,\"publicationDate\":\"2024-03-07\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Cryptology\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1007/s00145-024-09492-8\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cryptology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s00145-024-09492-8","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
In this work we present the COLM authenticated encryption (AE) scheme which is the second of the two winners in the defense in depth category of the CAESAR competition. COLM realizes a nonce-based authenticated encryption with associated data and uses the popular AES blockcipher as its underlying primitive. We propose two possible blockcipher instantiations (with key of length 128 or 256 bits). We also define two COLM modes of operation variants: a primary COLM\(_0\) mode for general purpose applications, and a COLM\(_{\tau }\) variant with intermediate tag generation/verification geared to support low-end devices and applications where frequent verification is required. COLM is designed with security, simplicity, and efficiency in mind. The main design goal of COLM is high security: a primary feature of the defense in depth CAESAR category. COLM provides security beyond the traditional AE security. First, COLM is secure against nonce misuse, namely, it enables security in adversarial settings where the nonce inputs to the AE scheme repeat. In contrast to standardized and popular AE algorithms, such as GCM and OCB1-3 modes, whose AE security trivially breaks down when the nonce is repeated, COLM ensures both confidentiality and authenticity (AE) security with repeated nonces. Second, our COLM\(_{\tau }\) variant enables increased security levels in situations where release of unverified ciphertext (RUP) occurs due to its ability to limit a potential leakage by frequent verifications. In this work we prove COLM secure with respect to both confidentiality and authenticity (AE) security under nonce misuse in the well-known provable security framework. Our proofs show that COLM maintains n/2-bit security levels for block sizes of n bits. Furthermore, due to the inherent parallelism on both mode and primitive levels, our software performance results show that the price paid for enhanced security does come at the cost of minimal efficiency losses. More concretely, we implement GCM, COLM, and Deoxys-II on the Kaby Lake and Coffee lake Intel platforms. Compared to the other winner in the defense in depth category Deoxys-II, our AE design COLM\(_0\) performs 10–20% faster for the 128-bit key version. Regarding the 256-bit key versions COLM\(_0\) is around 5% faster for short and 2% slower than Deoxys-II for the longer messages.
期刊介绍:
The Journal of Cryptology is a forum for original results in all areas of modern information security. Both cryptography and cryptanalysis are covered, including information theoretic and complexity theoretic perspectives as well as implementation, application, and standards issues. Coverage includes such topics as public key and conventional algorithms and their implementations, cryptanalytic attacks, pseudo-random sequences, computational number theory, cryptographic protocols, untraceability, privacy, authentication, key management and quantum cryptography. In addition to full-length technical, survey, and historical articles, the journal publishes short notes.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
