User:Chenhequn

Authenticated Encryption Modes of Block Ciphers is a mode of operation, which can provide confidentiality and authenticity simultaneously.

Overview
Since the block cipher's research began in the 1970th, it has so far a history of more than 30 years, during which time it is developed rapidly. A block cipher is a symmetric key cipher which maps n-bit plaintext blocks as input to n-bit ciphertext blocks as output.

While a plaintext may be of any length, the block cipher can only operate a fixed-length message. Therefore, several modes of operation on arbitrary length of message are developed. For example, ECB (Electronic Codebook Mode), CBC (Cipher-block Chaining Mode), CFB (Cipher Feedback Mode) and OFB (Output Feedback Mode), as some of the earliest modes, can only provide confidentiality or authenticity, but are not able to provide both simultaneously.

The new developed modes, can provide confidentiality and authenticity simultaneously, and thus are called the Authenticated Encryption (AE) mode. AE modes are built by improving or combining of the well-known modes. Those well-known modes have trusty performance to provide security or other attractive characteristic. For example, the CCM* mode is combination of the Counter mode and the Cipher Block Channing (CBC) mode. And the GCM mode combines the well-known Counter mode with the new Galois mode. The Counter mode can not only provide high security but also can be efficiently implemented. These AE modes extend the advantages of the known modes and improve them by the carefully chosen algorithm to provide confidentiality and authenticity. Furthermore, some AE modes have the additional useful property, which are suitable for different application.

Some AE modes
Here gives brief introduction of some AE modes.

GCM
Galois/Counter Mode (GCM) is a block cipher mode of operation which is used to provide authenticated encryption. As the name suggests, the GCM mode combines the well-known counter mode with the new Galois mode.

Authenticated Encryption and Authenticated Decryption: GCM mode uses a variation of the Counter mode with an incrementing function to ensure the confidentiality. And the authentication is ensured by using a hash function over a binary Galois field, this hash function is called GHASH. GCM has two functions, authenticated encryption and authenticated decryption.

In authenticated encryption function, a plaintext is firstly distributed into blocks, together with a Key, an initialization vector (IV) and an Additional authenticated data (AAD) is as the inputs. The outputs of the function are a ciphertext and an authentication tag.

The authenticated decryption function has five inputs: key, ciphertext, IV, AAD and authentication tag. The single output of the authenticated decryption function is either the plaintext which corresponds to the input ciphertext or a special symbol FAIL which means the inputs are not authentic. If the inputs were not generated by the encryption function with the identical key, it would return with high probability the special symbol FAIL.

Property: An additional useful property of GCM are that it can be used as a stand-alone MAC when there is no plaintext inputed. Additionally, GCM can be used as an incremental MAC. And GCM also accepts the initialization vector for arbitrary length so that it is easy to generate non-repetitive IVs.

Implementation: Another important factor is implementation. GCM can perform satisfactorily not only in hardware, but also in software. Because of the counter mode, GCM can be efficiently pipelined and parallelized in hardware implementation for encryption, and the binary field multiplication for authentication can be easily implemented. In software, GCM also can perform well by using table-driven field operations.

CCM*
Counter Mode with CBC-MAC* (CCM*) is an another block cipher mode of operation which is used to provide authenticated encryption. This mode is a variant of the CCM mode, it extend the advantage and improves the disadvantage of the CCM mode.

Authenticated Encryption and Authenticated Decryption: CCM* uses the CBC mode to ensure authenticity and the Counter mode to ensure confidentiality. The encryption-authentication function as well as the decryption-verification function is separated into two parts, each provides authenticity and confidentiality respectively.

Propery: CCM* provides for confidentiality-only services. For some cases, it uses data authenticity mechanism from external. And it can be used with variable-length authenticated tag.

Implemetation: CCM* uses CBC-MAC mode to provide the authenticity, but CBC-MAC mode can not be pipelined or parallelized. And CCM* is highly complex. Therefore, there is not more efficient method for CCM* to implement in hardware or software.

OCB
Offset Code Book (OCB) is another AE mode, which provides the confidentiality and the authenticity simultaneously. Before appearing of the AE modes, the confidentiality and the authenticity are provided separately by two systems: block cipher for the confidentiality and MAC for the authenticity. However, the OCB mode combines appropriately block cipher and MAC, and the computational cost is lower as the two separate systems.

Authenticated Encryption and Authenticated Decryption: OCB takes the key, plaintext and nonce as the inputs of the encryption function and outputs are the nonce, ciphertext and authentication tag. The decryption function works similar to the encryption function, according to the outputs of the the encryption algorithm to compute the tag and plaintext, after comparing both tags, returns the plaintext or INVALID.

Property: Because of using MAC to provide the authenticity, OCB is plaintext-aware. Furthermore, OCB is semantic security against chosen-plaintext attack,a nd together with the authenticity of ciphertexts, this mode could be secure against stronger attack, namely, semantic security under chosen-ciphertext attack. Therefore, this mode can provide satisfactory security guarantees.

Implementation: Because OCB is fully parallelizable, the computing the different ciphertext blocks can be done at the same time, it can be efficiently implemented in hardware and software.

CWC
Cater-Wegman Counter (CWC) is an AE mode, which uses the Counter mode and the Carter-Wegman universal hash function to provide confidentiality and authenticity respectively.

Authenticated Encryption and Authenticated Decryption: For the given nonce and plaintext, the CWC-CTR algorithm encrypts the plaintext with the key and returns the ciphertext. For this ciphertext together with the nonce and additional authenticated data, the CWC-MAC algorithm generates the authentication tag with key, and uses the CWC-HASH algorithms as the underlying universal hash function. The outputs are ciphertext and authentication tag. The decryption algorithm works similar to the encryption algorithm, the CWC-MAC algorithm generates the authentication tag again and compares it with the received authentication tag, if both are equally, using the CWC-CTR algorithm to decrypt and return the plaintext or else return INVALID.

Property: The outstanding point is that this mode has some important properties: provable security, parallelizable and free from intellectual property concerns.

Implementation: CWC can be efficiently implemented in hardware and software, because of using CTR mode to provide confidentiality, which is parallelizable. Since polynomial evaluation can be parallelized, Carter-Wegman universal hash function also can be efficiently implemented.